Permissions

Top  Previous  Next

 

QM uses the underlying operating system to manage processes, files, devices, etc. Therefore, all issues of access permissions ultimately lie with the operating system. This section gives some guidance on setting permissions within a QM system but individual application needs should be taken into account.

 

 

The QMSYS Account

 

The only users who should be working in the QMSYS account are system administrators. It is reasonable that these people should have write access to QMSYS. No other user ever needs to create an item in the QMSYS directory itself. Therefore the directory can be protected so that only administrators can write to it.

 

System administrators need write access to all items in the QMSYS account. The following table sets out the additional access rights needed for other users.

 

 

 

Developers

Others

$FORMS

Form queue definitions created with SET.QUEUE for use with SP.ASSIGN.

Full

Full

$HOLD

Hold file for QMSYS account

None

None

$HOLD.DIC

Dictionary for $HOLD

None

None

$IPC

Inter-process communication file

Full

Full

$LOGINS

User name database

Full

Full

$MAP

Catalogue map

Full (note 1)

None

$MAP.DIC

Dictionary for $MAP

Read

Read

$SCREENS

Screens database

Read

Read

$SVLISTS

$SAVEDLISTS file

None

None

$VAULT

Encryption key vault

Read

Read

ACCOUNTS

Accounts database

Read (note 2)

Read (note 2)

ACCOUNTS.DIC

Dictionary for ACCOUNTS

Read

Read

audit.log

Encryption audit log

None

None

bin

Executable files

Read

Read

BP

Sample QMBasic items

Read

Read

cat

Private catalogue

None

None

DICT.DIC

Dictionary for dictionaries

Read

Read

DIR_DICT

Dictionary for directory files

Read

Read

DOCS

Documentation (Windows only)

Read

Read

errlog

Optional error log file

Full (note 3)

Full (note 3)

ERRMSG

Pick style error message file

Read (note 4)

Read (note 4)

ERRMSG.DIC

Dictionary for ERRMSG

Read

Read

gcat

Global catalogue

Full

Read (note 5)

MESSAGES

Message database

Read

Read

NEWVOC

Template VOC file

Read

Read

QM.VOCLIB

VOC extension

Read

Read

stacks

Command stack repository

None

None

SYSCOM

System include records

Read

None

temp

Temporary directory (Windows only)

Full

Full

terminfo

Terminfo database

Read

Read

terminfo.src

Terminfo definitions

None

None

VOC

Vocabulary file

Read

Read

VOC.DIC

Dictionary for VOC

None

None

errlog

Error log

Full

Full

qm.hlp

Help text (Windows only)

Read

Read

QMSvc.log

QMSvc log (Windows only)

None

None

 

1.Write access to $MAP is only needed by users who execute the MAP command to create a catalogue map with the default destination file name.
2.Any user who is to be allowed to create new accounts will need write access to this file. Restricting write access on this file closes a potential security risk by preventing users creating synonyms to existing accounts that might subvert application level security mechanisms.
3.If error logging is enabled (see the ERRLOG configuration parameter), all users need full access to the optional errlog file. Any user that does not have write access will not log errors.
4.This file contains standard Pick style messages. Although rare, some applications may write to this file.
5.It is possible to restrict access to individual items in the gcat subdirectory. Users need read access (not execute access) to run a compiled QMBasic program.

 

 

Application Accounts

 

In general, users should have free access to all files. Taking write access away on the VOC can be used to prevent users modifying its content but beware that some applications modify the VOC as part of their normal operation.

 

 

Other System Files

 

The only QM file located outside of account structures is the configuration file (qm.ini in the Windows directory on Windows, /etc/qmconfig on other platforms). All users need read access to this file.

 

The configuration file is updated by the QMTerm terminal emulator and by the QMNet server related commands. Users of these features therefore need write access.