Proper ownerships and permissions on the acuserve executable file, server configuration files, server access files, and existing data files and directories are essential to establishing a secure and functional AcuServer system.
Setting ownerships and permissions requires root privileges on UNIX systems. Use the commands chown, chgrp, and chmod to set ownerships and permissions. For details regarding UNIX file permission masks and the use of chown, chgrp, and chmod, see your UNIX operating system manuals.
UNIX ownerships and permissions must be assigned to key AcuServer files as specified in the following table.
FILE NAME | OWNER | PERMISSIONS |
---|---|---|
acuserve (executable file) | root | 755 |
AcuAccess (and server access files having other names) | root | 600 |
a_srvcfg (and server configuration files having other names) | root | 644 |
The permissions specified in the above table are the least restrictive (most permissive) settings allowed for each file. The specified permissions are the optimal permissions for most installations. However, more restrictive permissions may be assigned (though more restrictive permissions could prevent some AcuServer users from using some AcuServer functions. For example, if the acuserve executable file were assigned permissions of 700, no user other than root could execute the acuserve -info command to generate a report of current AcuServer system status).
If the files named in the preceding table do not possess the specified ownerships and permissions (or more restrictive permissions), AcuServer will not start.
You must also set appropriate ownerships and permissions on existing data files and directories. Appropriate ownerships and permissions are those that allow file access to the individuals and groups that require access and that disallow access to all others. See your UNIX operating system documentation for a discussion of file permissions and file security.
When a client application makes its initial request to AcuServer for services, the requester is validated for permission to use AcuServer. If the requester is permitted to use AcuServer, a user name is assigned to the requester based on the Local Username field of the matching server access record. Files created for that requester by AcuServer get the user and group ownerships of the assigned Local Username. See AcuServer Connection Logic for more information.
The read and write permissions set on new files are determined by the umask specified in the matching server access record (because all files created are data files, execute permission is not applicable).
On UNIX servers, the umask is a variable having a three-digit octal value, similar to that used by chmod, but which describes the permissions that are not to be set on new files. The value of each digit, subtracted from seven, gives the corresponding chmod value. For instance, a umask of 002 corresponds to a chmod value of 775 (however, because execute permission is not applicable to data files, AcuServer actually sets the chmod value to 664). A umask of 002 grants read and write permissions to user and group, and read only permissions to other. Another common umask is 007, which sets read and write permissions for user and group, and no permissions for other. For more about umask, see your UNIX operating system documentation.