Server security database

The security database consists of two Sculptor keyed files, located in the directory $SCULPTOR/security.

The user file stores the name, password and unique ID of each user.

The resource file stores the access permissions for user and resource combinations.

In order to ensure backward compatibility, a security database that allows users unrestricted access is supplied as the default. The user file is empty, while the resource file contains a single record giving all users all permissions for all resources. To implement secure server operations, delete this record and add specific entries as required.


The user file

Since Sculptor version 6.1.0 new hash algorithm can be selected to store the user passwords. See HAD_ definitions on security.h. To accomodate the new hash algorithms and the new encrypted password length a new user file has been created. But the previous user file (version 1) can still be used with the HAD_SHA0_SC algorithm forced (kfserver automatically detects the $SCULPTOR/security/user version used).

user.d (Version 2)

Field

K/D

T&S

Description

UserId

Key

i4

The user’s identifying number. Must be greater than 1; the values 0 and 1 have special meanings.

UserName

Data

a32

Readable user name. This field is the key of the secondary index nameidx, and must be unique.

Algorithm

Data

i2

The HAD_ algorithm to be used on UserPassword

UserPassword

Data

a64

The user password, which must be stored in encrypted form. The encrypt() function is supplied for this purpose.

The old user.d file does not have the Algorithm field and the UserPassword size is smaller:

user.d (Version 1)

Field

K/D

T&S

Description

UserId

Key

i4

The user’s identifying number. Must be greater than 1; the values 0 and 1 have special meanings.

UserName

Data

a16

Readable user name. This field is the key of the secondary index nameidx, and must be unique.

UserPassword

Data

a16

The user password, which must be stored in encrypted form. The encrypt() function is supplied for this purpose.

There are two types of user:

Authenticated User: a user who has logged in correctly, the user name and password having been checked and found to be correct. This type of user has a unique UserId, which is used to check the user’s rights to access Sculptor keyed files and sequential files, and to execute applications. The user file maintains a record for each authenticated user, storing their unique numeric UserId, their user name and encrypted password.

Unauthenticated User: A user who has not logged in, or who has failed the login process. The UserId for this type of user is always 0. The user can still access files and execute applications that have been allocated unrestricted access permission in the security database.


The resource file

resource.d

Field

K/D

T&S

Description

Resource

Key

a96

The resource name. Possible values are listed below under Resource names.

UserId

Key

i4

This can be the identifying number of a user stored in the user file, or can have the following special values:

0 - All users, whether authenticated or not.
1 - All authenticated users.

Access

Data

i4

The permissions for this resource and user ID. Any combination of permissions flags (prefix SEC_ACCESS_) may be used. These flags are described under Permissions.


Resource names

The Resource field in the resource file can have the following values:

“*:*”

All resources.

“*:filename

A specific file or application program.

“*:dirpath/”

All files and application programs that reside in the directory specified and its subdirectory trees.

“app:*”

All application programs (exec).

“app:dirpath/”

All application programs that reside in the directory specified and its subdirectory trees.

“app:program

The specified application program, wherever it is located. On Windows servers, specify the extension (.exe, .bat) or omit the extension to allow all. On a Unix server, specifying a “program” allows both “program” and “program.exe”.

“gen:*”

All generic file and directory operations (such as access, chmod, chown, fileinfo, mkdir, rmdir).

“gen:dirpath/”

All generic file and directory operations in the directory specified and its subdirectory trees.

“gen:filepath

All generic file operations on the specified file or directory.

“seq:*”

All sequential files.

“seq:dirpath/”

All sequential files in the directory specified and its subdirectory trees.

“seq:filepath

The specified sequential file.

“skf:*”

All Sculptor keyed files.

“skf:dirpath/”

All Sculptor keyed files in the directory specified and its subdirectory trees.

“skf:filepath

The specified Sculptor keyed file.

“sql:*”

All tables in all schemas in all catalogs.

“sql:catalog.*”

All tables in all schemas in this catalog.

“sql:catalog.schema.*”

All tables in this catalog.schema.

“sql:catalog.schema.table”

The specified table only.

“sql:DEFAULT.*”

All tables in all schemas in the DEFAULT catalog.

“sql:DEFAULT.DEFAULT.*”

All tables in the DEFAULT schema in the DEFAULT catalog.

Since Sculptor version 6.0.1 the “sql” resource has been added to the Sculptor security database. By default, SQL has access to all files and runs in full update mode.

When sql security is active, the syntax to connect to a server in the SQL command line program is:

connect to <server_name> USER <username>/<password>

When a connection is made without a username, only resources defined for all users are available.

When connecting to the Sculptor ODBC driver, use the connection string attributes UID=<username> and PWD=<password>.

Terms such as “app”, “gen”, “skf”, and “sql” which precede the colon, are known as categories.

Terms such as “program” and “filepath”, which follow the colon, are known as sub-resources.

NOTES

  • For application execs, the first token in the command string is checked. “chmod mydir; myprog” will therefore verify chmod, not myprog. In cases such as these the recommended method is to execute a batch file.


Permissions

These permissions flags are assigned, singly or in combination, to the Access field in The resource file.

SEC_ACCESS_NONE

Deny access to the specified resource. This flag cannot be combined with others.

SEC_ACCESS_READ

Allow read access to the specified resource - sequential files and Sculptor keyed files.

SEC_ACCESS_WRITE

Allow write access to the specified resource - sequential files and Sculptor keyed files.

SEC_ACCESS_CREATE

Allow create access to the specified resource - sequential files and Sculptor keyed files.

SEC_ACCESS_EXECUTE

Allow generic file operation or application execution.

If more than one flag is required, they must be separated by the character | e.g.:

SEC_ACCESS_READ | SEC_ACCESS_WRITE


RELATED TOPICS

Servers

Server security features

Server security functions

Checking permissions