HP-UX SNAplus2 R7 Installation Guide
Restricting User Access
Restricting Access to SNAplus2 Functions
Appendix B 77
Restricting Access to SNAplus2 Functions
SNAplus2 functions can be divided into two categories: system
administrator functions, such as the xsnapadmin program, and user
functions, such as the 3270 emulation program and the API libraries.
The default setup for SNAplus2 is that the user functions are accessible
to all users of the HP-UX system, and that the system administrator
functions are accessible only to a restricted group of users. The
SNAplus2 installation procedure requires that the system is initially set
up in this way. If you need to create a more restricted setup, do this after
the software has been installed. See the following section “Restricting
Access to SNAplus2 Functions” for more information.
The configure script invoked by the SD program automatically creates a
group (in the file /etc/group) named sna, and within that group, a login
named sna is also created. All users with the system administrator
privilege should be members of the sna group, but users who are not
required to have the system administrator privilege should not be
members.
The default access to SNAplus2 functions can be restricted in two ways:
1. Restrict all functions to a specific group of users.
• Make all SNAplus2 users members of the sna group.
• Change the permissions on all files to allow access by only owner
and group, and not by others; for example, the 3270 emulation
program should have permissions r-xr-x--- and not r-xr-xr-x.
2. Restrict system administrator functions to a single user.
• Set up a single login (for example, sna), in the sna group, as the
administrator login.
• Make all files associated with system administrator functions
(see the list below) owned by this login and not accessible by
group or others.
In the following directories, these listed files should be restricted:
/opt/sna/bin snapadmin
/opt/sna/bin/X11 xsnapadmin