FILE SECURITY: PROTECTION IN A HIGH-RISK ENVIRONMENT
                       by Eugene Volokh, VESOFT



   MPE  file security is an interesting  sort of thing. It is powerful
enough  to  cause a lot of confusion  -- what's the difference between
:ALTSEC,  :RELEASE,  and :SECURE? What do R, A,  W, L, X, ANY, AC, AL,
GU,  GL,  and CR mean? How do  file, group, and account security work?
Unfortunately,  it's  not  powerful enough to do  a lot of things that
you'd  very  much  like to do (such as  grant a particular access to a
particular  user  id).  If  it were only a little  bit less fancy or a
little bit more fancy, life would be a lot easier...


                 IN WHAT WAYS CAN YOU ACCESS A FILE?

   First, a little general discussion. From the file system's point of
view, there are five types of access you can have to a file:

   *  READ -- if you have READ access to a file, you can open the file
     and read data from it. Simple.

   *  APPEND -- if you have APPEND access  to a file, you can open the
     file  and  add records to it. You  can't read records (unless you
     also  have  READ  access)  or  overwrite  them or  purge the file
     (unless you also have WRITE access).

   *  WRITE  --  if you have WRITE access to  a file, you can open the
     file,  append  records  to  it, overwriting  existing records, or
     purge  the file; you can't read records unless you also have READ
     access.  Note  that if you have WRITE  access, you will always be
     allowed to :PURGE the file -- you can't grant a user write access
     and deny him purge access.

   *  LOCK  --  if  you  have  LOCK access to a  file, you can open it
     EXCLUSIVELY  and/or  open  it  shared  but  then  call  the FLOCK
     intrinsic.  Lock  access  doesn't explicitly imply  read or write
     (though  it would be pretty useless  if you didn't also have read
     or  write access to a file); note, however, that APPEND and WRITE
     access DO imply LOCK access -- if you have append/write access to
     a  file,  you can always open it  exclusively or FLOCK it even if
     you don't have lock access to it.

   *  EXECUTE -- if you have EXECUTE access to a program file, you can
     run  it; if you have EXECUTE access to a job stream file, you can
     :STREAM it. You don't need any other access to do these things --
     thus,  you may deny a user READ access to a program or job stream
     and still let him run it or :STREAM it.

   You  should remember these "access types" because they control what
you  may  or  may  not  do  with  file  security.  For instance,  as I
mentioned, the fact that there is no special "PURGE" access mode means
that  you can't allow writes but forbids :PURGEs; however, since there
IS  a  special  "APPEND" mode you can allow  appending to a file (e.g.
some sort of log file) but not allow overwriting.


                        WHO CAN ACCESS A FILE?

   Now  that  we've discussed HOW a file  may be accessed, we must ask
WHO  it  can be accessed by. Say that  you've built a file and want to
grant READ and APPEND access to certain people -- how do you do this?

   Well,  for  every  type  of access (Read,  Append, Write, Lock, and
Execute,  abbreviated  R,  A,  W, L, and X), you  may specify a set of
"user  class  specifiers".  You  may  say  that the  particular access
involved is allowed to:

   * ANY, meaning any user in the system;

   * AC, meaning any user in the account in which the file resides;

   *  GU, meaning any user who signs on to the group in which the file
         resides;

   * CR, meaning only the user who created the file;

   *  AL, meaning any user with AL ("Account Librarian") capability in
         the account in which the file resides;

   *  GL, meaning any user with  GL ("Group Librarian") capability who
         signs on to the group in which the file resides;

   * Any combination of the above;

   * None of the above, in which case access is allowed only to a user
     with  SM  (System Manager) capability or  a user with AM (Account
     Manager)  capability in the file's account.  An SM or AM user can
     ALWAYS do ANYTHING to a file.

   Thus, when you say

   :ALTSEC F;(R,A:ANY;W,L,X:CR)

you  mean  "anybody  can  Read  or Append to the  file F, but only the
file's  creator  can Write to it, Lock  it, or Execute it". Similarly,
when you say:

   :ALTSEC F;(X:AC;R,L:AL;W,A:GU)

you mean "anybody in the account can Execute the file, only users with
AL  capability  can  Read it or Lock it,  and only users in the file's
group can Write to it or Append to it".


         FILE, GROUP, AND ACCOUNT SECURITY -- THE TRIPLE WALL

   So, thus far we've discussed HOW a file may be accessed and WHO you
can allow to access it. Note that one thing conspicuously missing from
our  discussion is the ability to say  "user JOE can read the file and
user  JOHN  can  write  to  it". This is because  MPE provides no such
ability. Unless you can arrange the right capabilities (SM, AM, AL, or
GL) for the right users, you can't really control access by individual
user id.

   One  other important fact, however (which substantially changes the
implications  of  what  we've talked about), has  to do with GROUP and
ACCOUNT security. Just as you can restrict R, A, W, L, and X access on
an  individual file, you can also restrict  it on a group (which means
that  the restriction applies to all the  files in the group) or on an
account  (which means that the restriction applies to all the files in
the  account). In order to access a file, a user must satisfy the file
restrictions  AND the group restrictions AND the account restrictions.
For instance, say that we say:

   :ALTACCT PROD;ACCESS=       (R,X:ANY; W,A,L:AC)
   :ALTGROUP DATA.PROD;ACCESS= (R:ANY; X:AC; A:GU,AL; W:GU; L:CR)
   :ALTSEC F.DATA.PROD;ACCESS= (R:CR; X:ANY; A:AC; W:CR,GU; L:AL)

What  are the true access restrictions on F.DATA.PROD? We must COMBINE
-- "AND" together -- all three sets of restrictions:

   Access          Account   Group     File           Total
   R               ANY       ANY       CR             CR
   A               AC        GU or AL  AC             GU or AL
   W               AC        GU        CR or GU       GU
   L               AC        CR        AL             CR
   X               ANY       AC        ANY            AC

   As  you see, the resultant access  rights are as restrictive as the
account,  group,  and  file  access  rights put  together. Even though
account  and  group  security  allows  anybody to read  the file, file
security  allows  only  the CReator to read  it -- therefore, only the
creator may read it; even though account and file security let anybody
execute  the file, group security allows only ACcount users to execute
it -- therefore, only users in the PROD account can execute it.

   Now, we have the theory down; let's have a look at the practice. By
default,   all   accounts   (except   the  SYS)  account  have  access
restrictions of

   (R, A, W, X, L: AC)

In other words, by default NOBODY outside an account can access a file
in  the account, EVEN IF FILE  AND GROUP SECURITY ALLOW IT! Similarly,
all  groups (except PUB groups in  any account) by default have access
restrictions of

   (R, A, W, X, L: GU)

Thus,  NOBODY outside a group can access  a file in the group, EVEN IF
FILE  AND  ACCOUNT SECURITY ALLOW IT! On  the other hand, default file
security is

   (R, A, W, X, L: ANY)

Access  is allowed to anybody in the system who can pass the group and
account  restrictions,  but as we just  saw, with default restrictions
this means that only a user in the file's group can access the file in
any way!

   You  can  see the serious problems that  this causes. Say that I am
JOHN.PROD  and  I  want to let MARY.DEV read  my file. First of all, I
can't  just  allow  MARY.DEV read it (since  access rights can only be
given  to classes of users, such as  ANY, not to individual user ids).
However,  say  that  I'm  willing to let everybody  read the file -- I
still can't do this! For MARY.DEV to read my file, she must be able to
pass  file security (which is easy, since by default it is R:ANY), but
also group and account security, which by default prohibit any access!
To let MARY.DEV read my file, I have to:

   *  Go to my account manager and ask him to grant Read access to ANY
     on the group in which the file resides;

   *  Go to my system manager and ask  him to grant Read access to ANY
     on the account in which the file resides;

Now, after I've gotten two other people involved in this, ALL files in
the  group  in  question are readable by  ANYBODY (unless I explicitly
:ALTSEC all those files to lower their file security, which [even with
MPEX]  may  be a cumbersome task). I've had  to spend a lot of effort,
and  in  the  bargain  have waived security on a  lot more than what I
wanted to waive it on.

   Thus, we see several problems with file security:

   *  You  can't  grant  access  to an individual user  id, only to an
     entire class of users.

   *  Default  group  and account security is  such that a normal user
     must intervene with his Account Manager AND his System Manager to
     let people access one of his files.

   *  In the process of granting access to  a file, the AM and SM must
     lower  security  on  the  account  and  the  group,  THUS WAIVING
     SECURITY ON ALL THE FILES IN THE GROUP.

   *  Finally  (one  thing  we  hadn't  mentioned  before), file-level
     security  (implemented  using  :ALTSEC) is very  hard to maintain
     since whenever you /KEEP the file in EDITOR, the file security is
     RESET  to  (R,A,W,L,X:ANY)!  Thus,  if  you leave  your group and
     account  security open and rely on :ALTSEC to protect your files,
     you  must  make  sure that EVERY TIME YOU  DO AN EDITOR /KEEP (or
     re-build  the  file  in  any  other way), YOU  REPEAT THE :ALTSEC
     COMMAND. If you don't, you'll leave the file wide open.


  :RELEASEing FILES -- WHY IT'S BAD, WHY PEOPLE DO IT, WHEN IT'S OK

   Therefore,  on the one hand we have  far too much security -- group
and account security gets in the way. On the other hand, we don't have
enough  security,  since once we waive  group and account security, we
leave  ourselves  wide open. To avoid  these problems, HP invented the
:RELEASE  and  :SECURE  commands,  but  these  have  very  substantial
problems all their own.

   Simply put, :RELEASEing a file allows ANYBODY to do ANYTHING to the
file. ANY USER ON THE SYSTEM can READ the file, WRITE to it, APPEND to
it,  LOCK it, EXECUTE it, PURGE it,  do whatever he pleases to it. The
advantage  of  this  is  you  can let MARY.DEV  read your file without
having  to  change  group/account security (since  :RELEASE waives ALL
security, file, group, and account); the disadvantage is that not only
can  MARY.DEV read it, but she can also  modify it or purge it, AS CAN
EVERYBODY ELSE IN THE SYSTEM. Again, you either have too much security
(nobody   can   do  anything)  or  far  too  much  (everybody  can  do
everything).

   Unfortunately,  the dangers of :RELEASE go way beyond the danger to
the  now-unsecured  file.  In particular, if you  have A GROUP WITH PM
CAPABILITY and you :RELEASE a PROGRAM FILE that resides in that group,
then  an ordinary, plain vanilla user  can OBTAIN SM OR AM CAPABILITY.
Naturally,  I won't explain exactly how he'll do this, but trust me --
:RELEASEing  program  files in groups with  PM capability (the program
itself need not necessarily have PM) is A VERY BAD IDEA. We suggest to
our MPEX users that every night they execute the command

   :RUN MPEX.PUB.VESOFT
   %SECURE @.@.@ (CODE="PROG" and ISRELEASED and GPMCAP=ON)

which will find all the program files (CODE="PROG") that are :RELEASEd
(SECURITY=OFF) and reside in privileged groups (GPMCAP=ON) and :SECURE
them.  If  you don't do this -- if you  let such files to stay on your
system -- you can be extremely vulnerable to break-ins.

   I  personally  think  that virtually every :RELEASE  is a bad idea,
since  it's very rare that you really  want to let ANYBODY do ANYTHING
to a file. What you ought to do instead is organize your file security
in  such  a  way  that  it's  easy  for  people  to  selectively grant
appropriate  access  to other people -- this  isn't very simple to do,
but  I'll give a fairly straightforward recipe shortly. The only other
thing  that ought to be said about :RELEASE is that IT'S OK TO RELEASE
DATABASES  (using DBUTIL or MPEX).  Since databases are protected from
normal  file  system  access by their PRIV  file code, and since IMAGE
security  implements an additional layer of  security on top of normal
file  system security, you can afford  to release them. That way, file
security  will  be  entirely  bypassed and the user  will only have to
specify the right IMAGE password to be able to access the database.


         STRUCTURING YOUR SYSTEM SECURITY TO AVOID :RELEASEs

   We've  established  that :RELEASEing files is  generally not a good
thing  to do. Unfortunately, with a default security set-up, :RELEASEs
are often necessary (the only other alternative being to get BOTH your
account  manager  AND your system manager  involved, and then risk the
security  of other files by changing  group and account security). The
only  way  you  can  really  avoid  :RELEASEs is by  making easier the
legitimate  things that people may want to do -- allow other people to
read and/or write their files.

   The   first   step  is  to  :ALTACCT  ALL  YOUR  ACCOUNTS  TO  HAVE
(R,A,W,L,X:ANY).  Is  this  a  safe  thing  to do?  Yes, because group
security  (by default (R,A,W,L,X:GU)) can protect your files perfectly
well.  The  only  thing  you might be concerned  about is that default
security  for  PUB groups is  (R,X:ANY;A,W,L,S:AL,GU); thus, the above
:ALTACCT  read and execute files in  your PUB groups. This is probably
not  a problem (that's usually what PUB groups are for), but if it is,
you  can just :ALTGROUP your PUB group to deny R or X access (or BOTH)
to non-AC users.

   Now  that  your  account  security is waived,  you can control file
security by groups. I recommend that you build a group in each account
called READANY:

   :NEWGROUP READANY;(R,X:ANY;W,A,L:CR)

As  you see, anybody can Read or Execute files in this group, but only
the  file's  creator can modify them. Say  that I want to let MARY.DEV
read that file of mine -- all I need to do is say:

   :RENAME MYFILE.EUGENE, MYFILE.READANY

Now Mary can read MYFILE but she can't modify it (since the file has W
access allowed only to me, the file's creator). Alternatively, I might
decide  that  anybody should be able to read  all of my files -- I can
then  just  go  to  my account manager and ask  him to change my group
security,  without  having to get the  system manager involved. Then I
could,  if  I  want  to,  further  control  my file  security by using
:ALTSECs,  but it's unlikely that I  will, since file security gets so
easily  lost every time a file is re-built (e.g. in an EDITOR /KEEP or
a re-:PREP of a program file).

   Further, if you care about security within accounts, you might well
have a group called READAC:

   :NEWGROUP READAC;(R,X:AC;W,A,L:CR)

Any  file  that I want to "show" to  some other user in my account can
just  be moved to the READAC group --  it will then be readable to all
account  users,  but  to  no  users  (except  those with  SM) in other
accounts.

Go to Adager's index of technical papers