ID Number: Q58695
2.00 2.10
OS/2
Summary:
The following information applies to OS/2 LAN Manager versions 2.0
and 2.1 running under OS/2 version 1.2.
This article explains how local security affects the choice of whether
to run a server in share-mode versus user-mode security.
More Information:
When running local security on a machine, you can choose either
share-mode or user-mode security for that server. The information
included below applies whether you choose to run your server in
share-mode or user-mode security.
If you select local security while installing OS/2 LAN Manager, the
install program will modify the "PROTSHELL=" and "IFS=...HPFS.IFS..."
lines in the CONFIG.SYS file.
When the machine boots up, during CONFIG.SYS processing of the
"PROTSHELL=" line and the "IFS=...HPFS386.IFS..." lines, the local
security functions of OS/2 LAN Manager's UAS (user account subsystem)
become activated along with the rest of the UAS.
Please note that the "IFS=...HPFS386..." line in CONFIG.SYS has an /i:
parameter that is not present when running HPFS.IFS, as shipped in
OS/2 1.2. This parameter is not legal for the HPFS.IFS shipped in OS/2
1.2, and is only allowed for use with the HPFS386.IFS shipped with
OS/2 LAN Manager. It is a required parameter for the HPFS386.IFS
shipped with OS/2 LAN Manager.
The purpose of the /i: parameter is to allow the UAS to find the file
named NET.ACC. NET.ACC is normally found in C:\LANMAN\ACCOUNTS, but
OS/2 LAN Manager may have been installed in some other subdirectory.
It is the /i: parameter on the "IFS=...HPFS386.IFS..." line in
CONFIG.SYS that points to the root directory containing OS/2 LAN
Manager.
After processing of the CONFIG.SYS file has been completed, local
security will become active, and the UAS will be running. The UAS will
then find and open the NET.ACC file.
At this point, no NET LOGON commands have been issued yet; therefore,
local security will not allow anyone accessing the keyboard or mouse
to delete, change, or rename any files protected by the UAS. The files
protected by the UAS typically include CONFIG.SYS, STARTUP.CMD, all
files in the C:\LANMAN and C:\OS2 subdirectories, and probably some
other files.
Only after a NET LOGON command has been issued (providing an account
name and password that has appropriate privileges) can files
protected by the UAS be modified or deleted.
As mentioned above, all of this discussion applies, regardless of
whether the machine is in user-mode or share-mode security.
Either way, there must be a NET.ACC file, and you must log on with the
right authorities before you can modify protected files.