%META:TOPICINFO{author="ChrisBartram" date="1170382101" format="1.1" version="1.2"}%
%META:TOPICPARENT{name="Hp3000UpgradeTo50"}%
---+ Isn't the ability to jump around with CD in the posix shell on the HP3000 a security problem?

It's a very common misunderstanding to associate your Current Working Directory (CWD) with your logon group, since in the past your logon group doubled as both the CWD and the logon group. The logon group is instrumental in determining what access you have to files (determining whether or not you belong to the group user (GU) class). It also is the location that your CPU and connect time account to when you log off. The CWD is a naming shortcut. It allows you to say FOO instead of FOO.GROUP.ACCOUNT. It has no bearing on security or access to a file, or the ability to create or purge a file. 

From your message, it appears that you believe that allowing a user to place their CWD (via the :CHDIR command) to another group or account provides some type of additional access to the files there. Let me assure you that that is not the case! Placing your CWD into PUB.SYS (or /SYS/PUB - whichever way you prefer) makes no difference in the access that you have to files in that location. You cannot create files, purge files, read, write, or do anything else, unless you already had the ability to do that (i.e. you had SM capability). All it lets you do is say :PRINT CATALOG, rather than 

<pre>PRINT CATALOG.PUB.SYS.</pre>

The thing that makes this confusing is the :CHGROUP command. :CHGROUP makes it hard to see the difference between the logon group and the CWD. Whenever you do a :CHGROUP, it actually logs you off and then back on, very quickly. Check the CPU and connect times of the old group (via the :REPORT command) just after you do a :CHGROUP and you'll see that they were updated with the amount of time you spent in that group before you "moved" over to your new group. The :CHDIR command makes the difference between the CWD and logon group obvious by allowing you to shortcut your naming independently of changing your logon group. Of course, the logon group must stay within your logon account, and so the :CHGROUP command will (still) not allow you to move your logon group outside that realm. By the way, the :CHGROUP command still changes both the CWD and the logon group, so that if they were pointing to different locations before a :CHGROUP, afterwards they'd both be pointing to the same group. 

  --[[CraigFairchild]]


-- Main.ChrisBartram - 17 May 2006