VM:Securesupports the following POSIX objects in the CP object directory:
POSIX user ID. An integer that represents the VM user ID to the POSIX system.
POSIX group ID. An integer that represents the POSIX group in which the VM userid is a member.
gnameis a character string that represents a GID. Many
names can represent the same GID.
POSIX supplementary group name list
A list of GIDs and GNAMEs to which the POSIX userid is eligible to be a member.
POSIX file system root, initial program (shell), and initial working directory
Various POSIX configuration items.
Maintaining POSIX Group Names and Group IDs
VM:Securekeeps POSIX group information in the
VMSECUREPOSIX file on the DRCT minidisk. This file enables you to use
VM:Secureto define new POSIX groups, and to make changes to existing POSIX groups. You use this file to define POSIX groups instead of specifying POSIXGROUP statements in the USER DIRECT file.
To work with POSIX group names, use the ADMIN POSIX command. This command opens the
VMSECUREPOSIX file in XEDIT.
You must have at least ADMIN POSIX authorization to use the ADMIN POSIX command. For information about the
VMSECUREPOSIX file and the format of the POSIXGROUP statement, see
To define a new POSIX group, enter the following:
VMSECUREPOSIX file opens in XEDIT. To add the new POSIX group named FINANCE with a GID of 002, add the following statement:
POSIXGROUP FINANCE 002
Save and exit the file.
POSIX Information in a Directory Entry or Profile
VM:Securesupports the following POSIX - related directory control statements, introduced as part of VM/ESA Release 2.1.0. You can use these statements in directory entries and in directory profiles:
Specifies a user’s POSIX information. Specifically, userid (UID), group ID (GID/GNAME), initial working directory (IWDIR), initial user program (IUPGM), and file system root (FSROOT).
Lists the names of the POSIX groups of which the user is a member. Groups can be specified by either GID or GNAME.
Specifies a user’s POSIX options.
Querying and Changing POSIX Information
To query or change the POSIX information in a directory entry, use the
VM:SecureEDIT, EDX, REPENTRY, or GETENTRY commands.
For syntax and usage information for the POSIXINFO, POSIXGLIST, and POSIXOPT directory control statements, see IBM’s
CP Planning and
Administratorsguide for your release of VM.
VMSECUREPOSIX file, which resides on the
VM:SecureDRCT minidisk, contains the POSIX group definitions. Use this file, instead of the USER DIRECT file, to define POSIX groups.
Each record in the
VMSECUREPOSIX file identifies a POSIX group.
For information about the format of the POSIXGROUP record, see IBM’s
Planning and Administrationguide.
VMSECUREPOSIX file can also contain comments, blank lines, and the *ED= special comment.
You can include an edit special comment (*ED=) in the
VM:Securemaintains this comment with the date and time of last update of the
VMSECUREPOSIX file, the userid that last updated the file, the process used to update the file, and the date the file was first updated.
VMSECUREPOSIX file as part of its initialization process. If it encounters an invalid POSIXGROUP statement, it sends a diagnostic message to the
VM:Secureconsole and to the
VM:Securesystem operator. This operator is a userid you specify on the SYSOPER record in the PRODUCT CONFIG file.
VM:Securevalidates all GIDs and GNAMEs in the source directory against those defined in the
VMSECUREPOSIX file. If
VM:Secureencounters a GID or GNAME that is not defined, initialization is terminated with the appropriate error messages.
VMSECUREPOSIX file when running on z/VM systems that do not support it.
You can edit the
VMSECUREPOSIX file while
VM:Secureis running by using the ADMIN POSIX command. To use the POSIX parameter, you must have at least ADMIN POSIX authorization through a GRANT record in the AUTHORIZ CONFIG file. You can also use the ADMIN, ADMIN *, or ADMIN *ALL authorizations to provide the necessary level of security.
The following figure is a sample
VMSECUREPOSIX file that shows the GNAME in the second column and the GID in the third column, as follows:
*ED= * POSIX GROUPS FOR THE XYZ DIVISION POSIXGROUP Admin 101 POSIXGROUP FINANCE 102 POSIXGROUP MARKETING 103 POSIXGROUP Sales 104 POSIXGROUP TechPubs 105 * POSIX GROUPS FOR THE ACM DIVISION POSIXGROUP AdminA 201 POSIXGROUP AdminB 202 POSIXGROUP ENGI 203 POSIXGROUP TCOM 204