Change the Default Permissions of the Files Created by the Agent

Change the Default Permissions of the Files Created by the Agent
The following files that the agent creates on UNIX have excessive world writeable privileges, which can conflict with auditing policies:
  • Temporary working shell scripts (Workload Automation AE only)
  • Standard output and standard error files
  • Job logs
  • Spool files
To customize the permissions of these files, we highly recommend that you add both of the following parameters to the agentparm.txt file:
  • oscomponent.defaultfile.permission
    Specifies the standard UNIX file permission in octal notation starting with 0. The four-digit octal code specifies the default file access permissions for the following files that the agent creates:
    • Temporary working shell scripts (Workload Automation AE only)
    • Standard output and standard error files
    • Job logs
    • Spool files
    Example:
     0600 (grants read and write permissions to the owner, but prevents anybody else from accessing the file)
    • If oscomponent.defaultfile.permission is not specified, all files the agent creates will have the same permissions as before 11.3 SP1 cumulative 4.
    • Temporary working shell scripts are granted execute permissions by the agent regardless of this parameter.
    • This parameter does not change the access permission of the spool directory (that is, drwxrwxrwt).
  • oscomponent.umask
    Provides support for the umask command, which turns off (disables) specific permissions that the oscomponent.defaultfile.permission parameter allows. The three-digit octal code sets the file mode creation mask (umask) for the following files that the agent creates:
    • Temporary working shell scripts (Workload Automation AE only)
    • Standard output and standard error files
    • Job logs
    • Spool files
    Example:
     066 (assuming the default file access permission is 666, this value turns off read and write permissions for the group and others)
    • If oscomponent.umask is not specified, the default umask of the user that started the agent is used for job logs, spool files, and wrapping scripts.
    • For standard output and error files, the default umask of the user that runs the job is used with an exception on AIX and HP-UX. On AIX and HP-UX, the default umask is only used if the umask is set in the user profile.
  • The oscomponent.defaultfile.permission parameter defines the baseline for file permissions. The umask value further restricts which permissions are allowed to determine the final file permission. The umask value can be set in the oscomponent.umask parameter, the user profile, the job profile, and other sources.
  • For job logs, spool files, and wrapping scripts, the agent determines the final file permission using the oscomponent.defaultfile.permission and oscomponent.umask parameters.
  • For standard output and error files, the agent determines the final file permission using the oscomponent.defaultfile.permission parameter and the umask value that takes precedence. For example, if you set the umask value in the user profile and job profile, the umask value in the job profile takes precedence. If the umask value is set to 022 in the user profile and 021 in the job profile, the final umask value is 021.
  • If you redirect the output of the command in an argument, these parameters do not apply and the file permission depends on the operating system. For example, if you specify the command as "/usr/bin/echo" and the argument as "TEST >> /tmp/TEST.OUTPUT.COMMAND", the file permission of TEST.OUTPUT.COMMAND is unspecified.
  • On Workload Automation AE, if you get a 4030 completion code, it means that the agent could not read or write to the temporary wrapper script the agent creates. To resolve the error, verify that the combination of oscomponent.defaultfile.permission and oscomponent.umask parameters give the owner at least read and write permission.
Example: Customize the Permissions of the Agent Working Files on Workload Automation ESP Edition
 
In this example, the following agent parameters are set:
oscomponent.umask=113 oscomponent.defaultfile.permission=0664
When the agent creates the following files, the permissions are set as indicated in parentheses:
  • Job logs (-rw-rw-r--)
  • Spool files (-rw-rw-r--)
If no user is specified in the job, the permission of the standard output and error files is -rw-rw-r--. If a user is specified in the job with a default umask of 022, the permission of the standard output and error files is -rw-r--r--.
Example: Customize the Permissions of the Agent Working Files on Workload Automation AE
 
In this example, the following agent parameters are set:
oscomponent.umask=066 oscomponent.defaultfile.permission=0600 oscomponent.noforceprofile=true oscomponent.cmdprefix.force=true oscomponent.profiles.src.delay=true oscomponent.profiles.global.override=true
The job profile has a umask value of 111.
When the agent creates the following files, the permissions are set as indicated in parentheses:
  • Temporary working shell scripts (-rwx--x--x)
  • Standard output and standard error files (-rw-------)
  • Job logs (-rw-------)
  • Spool files (-rw-------)