Technical data
Each file system is a multilevel directory hierarchy: on OpenVMS systems, the
top level of the directory structure is the master file directory (MFD). The MFD
is always named [000000] and contains all the top-level directories and reserved
system files. On UNIX systems or with a container file system, the top-level
directory is called the root.
For information about container file systems and about selecting a file system,
refer to Chapter 2.
7.3.3 How the Server Grants Access to Users and Hosts
Once a disk on the OpenVMS system is mapped to a pathname, the MFD or any
directory below it can be exported. The server uses the following database files to
grant access to users on client hosts:
•Theexport database, TCPIP$EXPORT.DAT, is a collection of entries that
store information about the file systems you want to make available to users on
client hosts.
Each entry specifies a directory on the local system and one or more remote
hosts that are allowed to mount that directory. A user on a client host can
mount any directory at or below the export point, as long as OpenVMS allows
access to the directory. Exporting specific directories to specific hosts provides
more control than exporting the root of a file system (or the MFD in an
OpenVMS system) to all hosts.
•Theproxy database, TCPIP$PROXY.DAT, is a collection of entries that
register the identities of users on client hosts. To access file systems on your
local server, remote users must have valid accounts on your OpenVMS host.
The proxy entries map each user’s remote identity to a corresponding identity
associated with each user’s OpenVMS account. When a user on the client host
initiates a file access request, the server checks the proxy database before
granting or denying the user access to the file.
These database files are created by TCPIP$CONFIG and can be shared by all
OpenVMS Cluster nodes running TCP/IP Services. To control access to these
database files, set the OpenVMS file protections accordingly. By default, world
access is denied.
For more information about how to create these database files on your server, refer
to the Compaq TCP/IP Services for OpenVMS Management guide.
7.3.4 How the Server Maps User Identities
Both OpenVMS and UNIX systems use identification codes as a general method
of resource protection and access control. Just as OpenVMS employs user names
and UICs for identification, UNIX identifies users with a user name and a user
identifier (UID) and one or more group identifiers (GIDs). Both UIDs and UICs
identify users on a system.
The proxy database contains entries for each user who accesses a file system on
your local server. Each entry contains the OpenVMS user name, the UID/GID pair
that identifies the user’s account on the client system, and the name of the client
host. This file is loaded into dynamic memory when the server starts.
When a user on the OpenVMS client host requests access to a file, the client
searches its proxy database for an entry that maps the requester’s identity to
a corresponding UID/GID pair. (Proxy lookup is performed only on OpenVMS
servers; UNIX clients already know the user by its UID/GID pair.) If the client
finds a match, it sends a message to the server that contains the following:
7–4 Connectivity Services