Securing the Products

This section describes how to obtain the most protection on UNIX systems when installing and executing Optim™.

Installation

UNIX allows you to restrict read, write, or execute permission to a user, members of a group, or members of any other group. Thus, to “fence” Optim, an administrator might:

Under this scenario, typical system defaults for the file creation mask allow only the owner to write to the installation directory, the subdirectories, and files within them, while user accounts within the group can execute Optim and can write to the temp and data subdirectories that hold data from processing. Creating the installation directory in the home directory prevents users outside the group from executing Optim.

An alternative method to prevent users outside the group from executing the software is to change permissions by using the chmod command, as follows:

chmod o-rwx <install--directory>

User Accounts

Before any processing occurs, you should establish all user accounts. If you change user accounts after processes have run, the ability of processes to access files produced in earlier processing may be affected. For example, a Restore Process that uses Centera or NetWorker as the user ID in effect when the file is recalled from a backup device and when the recalled file is deleted from disk after the specified retention period. Use the following information to help determine which user IDs to specify for each parameter.

The user account under which the pr0svce daemon is started (for example., the account that is logged on when pr0svce is started) must have write access to the Optim temporary directory, and read access to pstserv.cfg.

As you establish additional user accounts, keep in mind the following parameter settings in the configuration files, which affect the credentials under which the pr0svce daemon runs, as well as the credentials presented to run a process and to access files during a process.

filelogon
The filelogon parameter indicates the source of the credentials for processes.

Unless you override the normal umask behavior using the filemode configuration parameter, output files (Extract Files, Archive Files, Control Files) inherit the standard file privileges of the processing user account.

Thus, if you use the filelogon client parameter, a process may be unable to access files not created under its own user account and can open files only according to the file permissions, which include access to networked files.

If, however, you use the filelogon local parameter, or the filelogon server userid password parameter, any process can access a file created by any other process and any accessed directories must be writable to the processing user account.

Valid settings are:

local
The process runs under the user account used to start the pr0svce daemon.
client
The process runs under the user account specified on the Personal Options Server tab for the initiating Windows client or the overriding server credentials specified in pstlocal.cfg.
server userid password
The process runs under the credentials provided with the server parameter.
Note: The client or server settings require root authorization for the user account used to start the pr0svce daemon; a local setting does not.
tivoliavail userid password
The tivoliavail parameter provides the credentials for physical access to the Tivoli® resources. The filelogon parameter establishes credentials presented for access to the Archive Files managed by Tivoli.
Valid settings are:
1
Present the credentials used to start the pr0svce daemon for physical access to Tivoli resources.
0
Do not use Tivoli resources.
Note: A 1 userid password setting requires root authorization for the user account used to start the pr0svce daemon.
webserver
The webserver parameter applies to Optim Amdocs CRM Solution only. For details, see your Tomcat documentation.
Valid settings are:
1
Present the credentials used to start the pr0svce daemon for webserver access to Archive Files.
0
Do not use webserver access.
Note: A 1 userid password setting requires root authorization for the user account used to start the pr0svce daemon.

When setting up user accounts and file permissions, note that both pr0svce and the user account running pr0svce must be able to access the file that keeps information about active daemons in order to perform an action against pr0svce (for example, to shut down or delete pr0svce). This file is maintained in the directory designated by the PSTINFO environment variable. (See RTSETENV Shell Script for more information regarding the PSTINFO environment variable.)

Execution

If the configuration file includes “filelogon local”, tivoliavail, or webserver parameters without explicit credentials, the process assumes the authority of the user account used to start pr0svce. Thus, if you start pr0svce from the root user, the request will run under root credentials. If you start pr0svce under a user account in the group, the request will run under the credentials for the user account.

Generally, you should avoid running pr0svce under root authority. However, as noted earlier, you must run the pr0svce daemon under root authority when certain parameters in pstserv.cfg or pstlocal.cfg (the configuration file) are set. The parameters and settings that require root authority are:

Before running a process for which one or more of these settings apply, pr0svce validates the incoming user account and password. The process is then run under the credentials supplied in the configuration file. If pr0svce must run a process under root authority, it is advisable to include the “filelogon server userid password” (rather than “filelogon client” or “filelogon local”) and the limitaccess parameters in the configuration file to protect your system from processing that, because it uses root credentials, has access to all files on the system.



Feedback