topic Prevent copying files in Operating System - OpenVMS

Prevent copying files

Willem Grooters — Mon, 10 Jul 2006 06:18:13 GMT

Consider files being readable from anywhere (locally (TYPE, EDIT) or remotely (in case of NFS mounted disks, or accesable by Samba or Advanced server). However, I would like these files be unmodifyable by any of these access methods unless privileged. Even more, I would like to be these files non-copyable as well. That implies: not accessable for copying it to any other location, including printers, other disks and locations (inclusing FTP and similar), and not even copying it via an editor (load file, save it under a different name (and location).
Is there a (VMS-native) way to be able to do so?

Re: Prevent copying files

Karl Rohwedder — Mon, 10 Jul 2006 06:26:11 GMT

I think, that if the files are readable, it would be impossible to prevent users from copying them to a local location.
To prevent modifications should be possible with file protection.

regards Kalle

Re: Prevent copying files

Wim Van den Wyngaert — Mon, 10 Jul 2006 07:13:54 GMT

Willem,

You can prevent access to files with protected subsystems.
http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/aa-q2hlg-te.HTMl

As I read it, you can prevent COPY, FTP and others to read the file while allowing TYPE and EDIT. However, this is only usable if you restrict all but real file viewers (not able to do save as).

May be better to prevent all access except when done with a real file viewer (you can write yourself).

Never used it, but hey, I work in a bank.

Wim

Re: Prevent copying files

Ian Miller. — Mon, 10 Jul 2006 07:53:29 GMT

I think if you can read with TYPE then the output of TYPE could be redirected therefore copying the file. Also what about terminal emulators - if they display a file then it is potentially saved in the terminal emulator session history file and therefore a copy exists.

Why do you want to prevent the copy - Security, as always, is a people problem.

Re: Prevent copying files

Robert Gezelter — Mon, 10 Jul 2006 08:13:09 GMT

Willem,

Protected subsystems would work with regards to the access from the OoenVMS side.

Unfortunately, it is nearly impossible to control the other side of the connection. Screen scraping of data from the client side is virtually unknowable. This has figured in some discussions about data privacy following incidents such as the one involving the US Veterans Administration.

Security measures must always be considered with the knowledge that the precautions and preventitive measures have limitations, and an awareness of what those limitations are.

- Bob Gezelter, http://www.rlgsc.com

Re: Prevent copying files

John Gillings — Mon, 10 Jul 2006 20:56:35 GMT

Willem,

You might be able to do this with a protected subsystem controlling access to the source data, but only presenting it to clients transformed into some kind of graphical format, presented via a web server as HTML with caching and right click disabled. You may also need to to introduce some noise to inhibit screen capture and OCR. However, it would NOT necessarily inhibit printing the graphical result.

Of course, no matter what you do, you can't prevent someone from simply transcribing, or even photographing the data off the screen.

Re: Prevent copying files

Willem Grooters — Sun, 08 Oct 2006 15:28:42 GMT

I know it doesn't exist, but it would be a nice feature. IIRC, CDD had (has?) mentioned the ability to specify COPY as a allowed fnction in an ACL and it would be cool to have something like that in the base OS.