Permissions

Permissions

Top  Previous  Next

 

QM uses the underlying operating system to manage processes, files, devices, etc. Therefore, all issues of access permissions ultimately lie with the operating system. This section gives some guidance on setting permissions within a QM system but individual application needs should be taken into account.

 

As an aid to establishing good security policies on Linux and Unix systems, the CREATE.FILE and CREATE.ACCOUNT commands include options to set the ownership and permissions of the newly created item.

 

 

The QMSYS Account

 

The only users who should be working in the QMSYS account are system administrators. It is reasonable that these people should have write access to QMSYS. No other user ever needs to create a new item in the QMSYS directory itself. Therefore the directory can be protected so that only administrators can write to it.

 

System administrators need write access to all items in the QMSYS account. The following table sets out the additional access rights needed for other users.

 



Developers

Others

$FORMS

Form queue definitions created with SET.QUEUE for use with SP.ASSIGN.

Full

Full

$HOLD

Hold file for QMSYS account

None

None

$HOLD.DIC

Dictionary for $HOLD

None

None

$IPC

Inter-process communication file

Full

Full

$LOGINS

User name database

Full

Full

$MAP

Catalogue map

Full (note 1)

None

$MAP.DIC

Dictionary for $MAP

Read

Read

$SCREENS

Screens database

Read

Read

$SERVERS

QMNet server register

Read

Read

$SVLISTS

$SAVEDLISTS file

None

None

$VAULT

Encryption key vault

Read

Read

ACCOUNTS

Accounts database

Read (note 2)

Read (note 2)

ACCOUNTS.DIC

Dictionary for ACCOUNTS

Read

Read

audit.log

Encryption audit log

None

None

bin

Executable files

Read

Read

BP

Sample QMBasic items

Read

Read

cat

Private catalogue of QMSYS account

None

None

DICT.DIC

Dictionary for dictionaries

Read

Read

DIR_DICT

Dictionary for directory files

Read

Read

DOCS

Documentation (Windows only)

Read

Read

errlog

Optional error log file

Full (note 3)

Full (note 3)

ERRMSG

Pick style error message file

Read (note 4)

Read (note 4)

ERRMSG.DIC

Dictionary for ERRMSG

Read

Read

gcat

Global catalogue

Full

Read (note 5)

MESSAGES

Message database

Read

Read

NEWVOC

Template VOC file

Read

Read

qmconfig

Configuration parameter file

Read

Read

qmterm.ini

qmterm configuration parameters

Full

Full

QM.VOCLIB

VOC extension

Read

Read

stacks

Command stack repository

None

None

SYSCOM

System include records

Read

None

temp

Temporary directory

Full

Full

terminfo

Terminfo database

Read

Read

terminfo.src

Terminfo definitions

None

None

VOC

Vocabulary file

Read

Read

VOC.DIC

Dictionary for VOC

None

None

errlog

Error log

Full

Full

qm.chm

Help text (Windows only)

Read

Read

QMSvc.log

QMSvc log (Windows only)

None

None

 

1.Write access to $MAP is only needed by users who execute the MAP command to create a catalogue map with the default destination file name.

2.Any user who is to be allowed to create new accounts will need write access to this file. Restricting write access on this file closes a potential security risk by preventing users creating synonyms to existing accounts that might subvert application level security mechanisms.

3.If error logging is enabled (see the ERRLOG configuration parameter), all users need full access to the optional errlog file. Any user that does not have write access will not log errors.

4.This file contains standard Pick style messages. Although rare, some applications may write to this file.

5.It is possible to restrict access to individual items in the gcat subdirectory. Users need read access (not execute access) to run a compiled QMBasic program.

 

 

Application Accounts

 

In general, users should have free access to all files. Taking write access away on the VOC can be used to prevent users modifying its content but beware that some applications modify the VOC as part of their normal operation.

 

 

See also:

Application level security