共有リソースの承認権限

GT.M uses several types of shared resources to implement concurrent access to databases. The first GT.M process to open a database file creates IPC resources (semaphores and shared memory) required for concurrent use by other GT.M processes, and in the course of operations GT.M processes create files (journal, backup, snapshot) which are required by other GT.M processes. In order to provide access to database files required by M language commands and administration operations consistent with file permissions based on the user, group and world classes, the shared resources created by GT.M may have different ownership, groups and permissions from their associated database files as described below. As an example of the complexity involved, consider a first process opening a database based on its group access permissions. In other words, the database file is owned by a different userid from the semaphores and shared memory created by that first process. Now, if the userid owning the database file is not a member of the database file's group, a process of the userid owning the database file can only have access to the shared resources if the shared resources have world access permissions or if they have a group that is guaranteed to be shared by all processes accessing the database file, even if that group is different from the database file's own group. Again, although FIS strongly recommends against running GT.M processes as root, a root first process opening the database file must still be able to open it although it may not be the owner of the database file or even in its group - but it must ensure access to other, non-root processes. Some things to keep in mind:

GT.M takes a number of factors into account to determine the resulting permissions:

The following table describes how these factors are combined to determine the permissions to use:

Database File Permissions Opening process is owner of database file? Owner is member of group of database file? Opening process is a member of database file group? Opening process is not owner but a member of database file group? Execution of GT.M restricted to members of a group?
Group of Resource IPC Permissions File Permissions
-r*-r*-r*- - - Y - -
Group of database file -rw-rw-rw -r*-r*-r*
-rw-rw-r* - - N - -
Current group of process -rw-rw-rw -rw-rw-rw
-rw-rw-rw - - N - -
Current group of process -rw-rw-rw -rw-rw-rw
-rw-rw-rw Y Y - - -
Group of database file -rw-rw-rw -r*-r*----
-r*-r*---- Y N - - N
Current group of process -rw-rw-rw- -rw-rw-rw-
-r*-r*---- Y N - - Y
Group to which GT.M is restricted -rw-rw---- -rw-rw----
-r*-r*---- - Y - Y -
Group of database file -rw-rw---- -r*-r*----
-r*-r*---- - N - Y N
Group of database file -rw-rw-rw- -rw-rw-rw-
-r*-r*---- - N - Y Y
Group to which GT.M is restricted -rw-rw---- -rw-rw----
----r*---- - N - Y -
Group of database file -rw-rw---- ----r*----
-r*------- Y - - - -
Current group of process -rw------- -rw-------

The following table describes how these factors combine to determine the permissions of the relink control file, relink control shared memory, and object shared memory:

Directory Permissions Opening process is owner of directory? Owner is member of group of directory? Opening process is a member of directory group? Opening process is not owner but a member of directory group? Execution of GT.M restricted to members of a group?
Group of Resource Shared memory permissions Relink control file permissions
-r*-r*-r*- - - Y - -
Group of directory -rwxrwxrw -rw-rw-rw
-rw-rw-r* - - N - -
Current group of process -rwxrwxrwx -rw-rw-rw
-rw-rw-rw - - N - -
Current group of process -rwxrwxrwx -rw-rw-rw
-rw-rw-rw Y Y - - -
Group of directory -rwxrwxrwx -rw-rw-rw-
-r*-r*---- Y N - - N
Current group of process -rwxrwxrwx -rw-rw-rw-
-r*-r*---- Y N - - Y
Group to which GT.M is restricted -rwxrwx--- -rw-rw----
-r*-r*---- - Y - Y -
Group of directory -rwxrwx--- -rw-rw----
-r*-r*---- - N - Y N
Group of directory -rwxrwxrwx -rw-rw-rw-
-r*-r*---- - N - Y Y
Group to which GT.M is restricted -rwxrwx--- -rw-rw----
----r*---- - N - Y -
Group of directory -rwxrwx--- -rw-rw----
-r*------- Y - - - -
Current group of process -rwx------ -rw-------
inserted by FC2 system