compartments.4 (2010 09)
c
compartments(4) compartments(4)
permission nread file_object
where the values are defined as follows:
permission Sets the permissions allowed for processes in this compartment to access the
file_object in the way specified.
none Denies any access to the file_object for any process in this compartment. If
specified, none of the other possible arguments can be used.
all Indicates all permissions on file_object .
all is an alias for the expression
nsearch, read, write, unlink,
create.
nsearch Controls search access to the file_object . The rule has an effect only if file_object is
a directory. It allows processes in the compartment to perform lookup in the direc-
tory. This access control is not inherited. So even if a directory is searchable, any
directory underneath is not searchable unless explicitly allowed to.
nread Controls search and read access to the file_object . The rule has an effect only if
file_object is a directory. It allows processes in the compartment not only to lookup
in the directory but also to list contents of the directory. This permission includes
the above mentioned
nsearch permission also. This access control is not inher-
ited. So even if a directory is searchable and readable, any directory or file under-
neath is not searchable or readable unless explicitly allowed to.
read Controls read access to the file_object . If the file_object is a file,
read allows
processes in this compartment to open the file for reading. If the file_object is a
directory,
read allows processes in this compartment to list and search the con-
tents of this directory. This permission includes the above mentioned nsearch or
nread permission also. This access control is inherited, so any file or directory
under this file_object can be read or listed.
write Controls write access to the file_object . If the file_object is a file,
write allows
processes in this compartment to open the file for writing. This permission has no
direct effect if file_object represents a directory. There is still an indirect effect as
the access control is inherited, so any file under this file_object can be written to.
create Controls create access to the file_object . The rule has an effect only if file_object is a
directory. This access control is inherited, so processes in this compartment can
create file objects anywhere under the specified directory.
unlink Controls delete access to the file_object . The rule has an effect only if file_object is a
directory. This access control is inherited, so processes in this compartment can
delete file objects anywhere under the specified directory.
file_object Fully-qualified name of a file or directory. This name is restricted in the following
ways:
• The total length of the name of the file_object cannot exceed
MAXPATHLEN bytes.
• Each component in the file_object name cannot exceed
MAXNAMELEN bytes.
• There can be no more than 10 components in the file_object name. Because one
component must be the name of the file or directory, there can be no more than
nine preceding components. For example, the path
/a/b/c/d has four com-
ponents.
• The file_object is literal; that is, wild card characters such as asterisk (
*) cannot
be specified.
• The file_object has no special or space characters. All characters except
a-z, A-Z,
0-9, slash (/), dot (.), dash (-), underscore (_), and colon (:), must be entered
using the notation %xx where xx corresponds to the hexadecimal representation of
the character. See ascii (5) for translating an ASCII character to its hexadecimal
equivalent.
File system rules are based on the path name. One can specify rules for an object that do not yet exist.
In such a case, the rule becomes operational when an object with that name is created. If a file has two or
more names (for example, multiple hardlinks), and the two names have different rules for any compart-
ment,
vhardlinks command generates warnings. In order to successfully create a hard link (using
link()), the new name and the old name must have the same rules. As with discretionary access
2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010