FYI (Note: The origin of this information may be internal or external to Novell. Novell makes every effort within its means to verify this information. However, the information provided in this document is FOR YOUR INFORMATION only. Novell makes no explicit or implied claims to the validity of this information.) TITLE: DR Multiuser DOS Security DOCUMENT ID#: FYI-M-1908 DATE: 07-07-92 PRODUCT: DR MULTIUSER DOS PRODUCT VERSION: SUPERSEDES: INSTALLATIONS: This information contained herein is intended as a supplement to the information contained in Chapter 2 of the DR Multiuser DOS User Guide, "Setting up a secure system." System security involves assigning a user name, a group, and a password to each user on the system. For example, in an Accounting office, you might have the following groups and users: GROUP USER G/L Gail G/L Petunia A/P Alan A/P Jane A/R Anthony Each user owns his or her own files, and generally will have permission to access files of other members of his or her group. For example, files created by Jane (in Group A/P) could also be read by Alan (in group A/P), but not by Anthony (in Group A/R). The DR Multiuser DOS security function is enabled through a complete installation of DR Multiuser DOS from diskettes. NOTE: In order to make an already installed DR Multiuser DOS system secure, one must reinstall DR Multiuser DOS. Initial installation of security consists of the establishment of a Supergroup and one Superuser. Supergroup and Superuser represent a group and user in a organizational sense (please see explanations of group, owner, and world, below). The Superuser's powers are greater than other users; Superuser has full read and write access to all of the information contained on a DR Multiuser DOS system. A Superuser is analogous to a Network's System Administrator. Additional members of the Supergroup may be added via the SECURITY utility. CONFIGURATION OPTIONS Superuser: A person logging in as Superuser will notice that only a AUTOEXEC.BAT is executed (i.e. no start files are executed). The AUTOEXEC.BAT file executed is that contained in the root directory. The same AUTOEXEC.BAT file will be run every time a Superuser logs into the system. User: A person logging in as a user from his or her terminal will notice that their configuration files will be loaded from their own user subdirectory under the group subdirectory. In fact, the user will be put in this subdirectory upon execution of the CCONFIG.SYS and loading of COMMAND.COM. (In the example above, when Jane logs in, she will be put into the subdirectory C:\AP\JANE.) There are a few options for loading a configuration once in the user subdirectory: A user may prefer to have an AUTOEXEC.BAT file in their subdirectory; this will automatically be executed upon logging in. This AUTOEXEC.BAT will establish configurations which apply to all of the users sessions. A user may have several START files in their user subdirectory. Unlike an open DR Multiuser DOS system, these START files will execute before any AUTOEXEC.BAT file that exists in this subdirectory. These START files will establish specialized configurations for the individual sessions on this terminal. NOTE: a user must use a CALL command in one of the START files in order to activate the AUTOEXEC.BAT file which exists in their user subdirectory. The user's own START files or the user's AUTOEXEC.BAT will be executed every time that user logs into the DR Multiuser DOS system. FILE ACCESS PERMISSIONS: There are two ways of viewing user access permissions within a DR Multiuser DOS environment. The Superuser will establish the default access permissions for files created by a new user, upon setting up the new user. The user may then change the way the files they create are accessed via the XATTRIB command. Please see pages 8-3 to 8-7 of the DR Multiuser DOS User Guide for additional information. NOTE: attributes must first be set for the group before being set for the world (i.e, if an owner wants the file attributes on his or her document set so that anybody (the WORLD) can read it, write to it, or delete it, he or she must first set the file attributes to be read, write, and delete for the group to which he or she belongs.) In other words, the setting for group is NOT automatically assumed and set. The command XDIR will show permissions for the owner, group, and world, the name of the owner and the group, and the file name. The command XATTRIB will allow the owner to change these permissions. For example: XDIR README.DOC rwd --- --- C:\USERS\OWNER\README.DOC XATTRIB README.DOC /G:RWD /W:RWD rwd rwd rwd C:\USERS\OWNER\README.DOC NETWORKS Note that DR Multiuser DOS's logout command is similar to many logout commands used for network sign off. A user may want to keep this in mind when running a DR Multiuser DOS system with both security and network installations.