SSES.SYS

From EDM2
Jump to: navigation, search

SSES.SYS is the core driver of Security/2. It controls the access to files, processes, etc. Security/2 is a multi-user system for OS/2.

BASEDEV=SSES.SYS <parameter>

Parameters

  • /restrictroot - Allow loading acls for root user for restricting root user rights. Def is do not allow.
  • /suanyuser - Allow root user to register another users without specifying the password. Use this option with care when local logon shell is used.
  • /somcompat - handle a special case when PMSHELL.EXE runs SOMDD.EXE. Use this option i.e. when you experience troubles running Lotus SmartSuite. It is strongly recommended to use this option along with PM multi local logon.
  • /ctlthreads:<number> - the number of ssesctl threads. Def is 2. Max is 256.
  • /maxusers:<number> - The maximum number of concurrently working users. Default is 75, max is 601.
  • /maxpids:<number> - The maximum number of concurrently running pids for each user. Can be reduced (not increased) in user creation. Def is 65535, max is 65535
  • /maxaclsecs:<number> - the maximum number of cuncurrently active ACL's section. Default is 512, max is 4096.
  • /maxacls:<number> - The maximum number ACL's for each section. Default is 1159, max is 39568.
  • /aclstrategy:<strat> - The strategy to check user permissions. Valid strategies: 'firstmatch' - applying the rights of the first acl with matching mask. 'actionmatch' - scanning the acls list until the acl with matched both mask and action right or acl with matched mask and 'deny' right. Def is firstmatch.
  • /sesmgr:<path> - The path to your session manager (protshell). Def is '*PMSHELL.EXE'.
  • /logbuf:<number> - the size of logger buffer in bytes. The size of 0 bytes means that logging is switched off. To get log just 'type SSESDD$'. Def is 0, max is 1048576
  • /logaction:<number> - The set af actions to log. The number is the desired superposition of ACT_* constants given in usertype.h
  • /logresult:<type> - The type of action checking results to log. Valid types are : 'deny' - log denied actions only, 'allow' - log allowed actions only, 'all' - log all actions.
  • /no16bitcontrol - Do not use 16 bit hooks. This will switch off priority control, but can solve traps on some WARP3/WARP4 systems. If you experience a trap during system boot after installing Security/2, first try to add this key to sses.sys.
  • /noflagprocesscheck - Disable of DosFlagProcess controlling
  • /alloweffective - Allow register so-called "effective" user from root process. First process registered under "effective" user can be reverted back to root privilege with DosUserUnsetEffectiveUser() Security/2 API function.
  • /q - Quiet Mode. Do not display information on boot.

When loging is enabled in sses.sys (with /logbuf, etc keys), root user can read from \DEV\SSESDD$ log messages with DosRead function. The ssesctl.exe does it when --logsuck key specified (see next section). The format of log messages is:

user(pid): action: object: result

where:

  • user - username
  • pid - pid of caller process
  • action - requested action (r - read, w - write, x - execute, c - create, d - delete, k - kill, s - start session)
  • object - name of object to apply action to, can be name of file, driver or one of special objects (<user> - userbase, <dll> - any dll, <acl> - aclbase, <timecrit> - timecritical priority setting, createvdm - create VDM, setdatetime - date/time setting)or process pid in case of kill action.
  • result - result of checking the permissions, can be : A - allow, D - deny