HPE Community
Operating System - OpenVMS
1752564 Members
5254 Online
108788 Solutions
New Discussion юеВ

Re: Advance Server ACL Protection Policy

 
SOLVED
Go to solution
Robert Atkinson
Respected Contributor

тАО11-02-2007 01:56 AM

тАО11-02-2007 01:56 AM

Advance Server ACL Protection Policy

I'm trying to cleanup and rationalise the security on our Advance Server shared directories.

From the VMS side, I'm going to make the individual users the owners of the directories and files.

So that PWRK can access the data, I've set an ACL on the directories as :-

(IDENTIFIER=[PWRK$DEFAULT],ACCESS=READ+WRITE+EXECUTE)

The issue I can see is that when PWRK creates a file from the Windows side, it will be the owner, so the user won't be able to control the file.

What I'm looking for is a working example of how to set this sort of security up.

Thanks, Rob.
0 Kudos
14 REPLIES 14
Karl Rohwedder
Honored Contributor

тАО11-02-2007 02:04 AM

тАО11-02-2007 02:04 AM

Re: Advance Server ACL Protection Policy

What version are involved?

Do you have for each Windows-users a corresponding VMS user or are you using hostmaps?

regards Kalle
0 Kudos
Karl Rohwedder
Honored Contributor

тАО11-02-2007 02:15 AM

тАО11-02-2007 02:15 AM

Re: Advance Server ACL Protection Policy

Just made a small test:
- VMS is PDC in domain DS10
- VMS user: KALLE, Domain user KALLE
- no hostmap

creating a testfile leads to PRWK$DEFAULT as owner

- adding a hostmap: addhostmap kalle kalle

creating a testfile leads to KALLE as owner


regards Kalle
0 Kudos
Robert Atkinson
Respected Contributor

тАО11-02-2007 02:19 AM

тАО11-02-2007 02:19 AM

Re: Advance Server ACL Protection Policy

I've never come across 'hostmap' before, but looks like it could be very useful.

Rob.
0 Kudos
Brad McCusker
Respected Contributor

тАО11-03-2007 01:27 AM

тАО11-03-2007 01:27 AM

Re: Advance Server ACL Protection Policy

Robert,

As Karl said, hostmaps should do what you want. It's been a while for me, but some high level things that might help you understand what's going on:

Two relevant types of Account Mapping:

Implicit mapping is the default but it is configurable. Implicit host mapping is established when there is an exact match between the Windows NT user name and the OpenVMS user name. This behavior is controlled by the Registry parameter HOSTMAPUSEVMSNAMES. Implicit mapping takes the lowest precedence.

Explicit mapping takes the highest precedence and occurs when you specifically set a hostmap using the ADMINISTER command ADD HOSTMAP:
$ ADMIN ADD HOSTMAP .

These are the relationships that are stored in the LSA database. If I recall correctly, there is a pre-defined explictit mapping of Guest to PWRK$GUEST. The use of explicit hostmaps is controlled by the parameter HOSTMAPUSEDATABASE in the Registry.


If there is no explicit setting and no implicit match, then the HOSTMAPDEFAULT registry parameter takes effect. The default setting for that parameter indicates that the OpenVMS user account PWRK$DEFAULT is used.

I think there are other registry parameters that allow you to fine tune all of this. I know there is one or more related to trusts and which domains you allow implicit maps from.

This is a high level synopsis. It's been 5 years now since I was the project leader for Advanced Server Engineering. I make no promises that I've remembered this stuff completely or accurately. In other words, it might be a good idea to find the documentation that talks about this stuff and read up on it before you go much further.

And of course, if you have more questions, ask away...

Best Regards,

Brad McCusker
Software Concepts International
www.sciinc.com
Brad McCusker
Software Concepts International
0 Kudos
Robert Atkinson
Respected Contributor

тАО11-05-2007 12:11 AM

тАО11-05-2007 12:11 AM

Re: Advance Server ACL Protection Policy

Brad, found the notes for the INI settings, and your info is still accurate.

Assuming I'm going to use hostmapping, and the files will be owned and created by the end user, do I need to give PWRK$DEFAULT access to the directories, or does PWRK run with SYSPRV/BYPASS?

If PWRK does need a specific ACL, what's the best way to ensure this is propogated down to new files/directories?

Thanks, Rob.
0 Kudos
Karl Rohwedder
Honored Contributor

тАО11-05-2007 02:25 AM

тАО11-05-2007 02:25 AM

Re: Advance Server ACL Protection Policy

Robert,

doe LMSRV process runs with a lot of privs, including BYPASS.

regards Kalle
0 Kudos
Robert Atkinson
Respected Contributor

тАО11-05-2007 02:38 AM

тАО11-05-2007 02:38 AM

Re: Advance Server ACL Protection Policy

I've been testing hostmap out, but there's a problem with the default directory permissions :-

Directory OPS$DATA:[000000]

ROBERT.DIR;1 65/725 20-MAR-2001 09:30:51.03 [SYSOPER,RAA] (RWE,RWE,E,)
(DEFAULT_PROTECTION,SYSTEM:RWE,OWNER:RWE,GROUP:E,WORLD:)

Directory OPS$DATA:[ROBERT]

AA.DIR;1 1/145 5-NOV-2007 13:38:21.95 [SYSOPER,RAA] (RWED,RWED,RWED,RE)
(DEFAULT_PROTECTION,SYSTEM:RWE,OWNER:RWE,GROUP:E,WORLD:)

Directory OPS$DATA:[ROBERT.AA]

BB.DIR;1 1/145 5-NOV-2007 13:40:16.77 [SYSOPER,RAA] (RWED,RWED,RWED,RE)
(DEFAULT_PROTECTION,SYSTEM:RWE,OWNER:RWE,GROUP:E,WORLD:)
BB__2ETXT.TXT;1 0/0 5-NOV-2007 13:40:23.17 [SYSOPER,RAA] (RWE,RWE,E,)


Files are being created with the correct default protection from the ACL, but directories are created with the system default protection.

I have something niggling in the back of my mind that says there's a special keyword to do ACL protection on directories?

Rob.
0 Kudos
Karl Rohwedder
Honored Contributor

тАО11-05-2007 03:42 AM

тАО11-05-2007 03:42 AM

Solution

Re: Advance Server ACL Protection Policy

You can specify the directory permissions using ADMIN> MOD SHARE/HOST=DIREC=...

regards Kalle
0 Kudos
Doug Phillips
Trusted Contributor

тАО11-05-2007 08:07 AM

тАО11-05-2007 08:07 AM

Re: Advance Server ACL Protection Policy

You shouldn't need to "tinker" with the PWRK ACEs from the VMS side because ADMIN does everything you need for your Windows (Adv.Server) shares, and it "understands" what needs to be done.

BYPASS isn't needed because the PWRKS ACEs grant/restrict access from the Adv.Server side. It's no different than setting any other ACE granting specific access to one user (or rights-holder) on an otherwise restricted resource, but the ACE does have specific requirements that are best left up to ADMIN.

The Security Model you select in "ADMIN/CONFIG -> Advanced..." will determine whether or not the other RMS protections are to be considered by the Adv.Server side.

If you use "Advanced Server only" then just the PWRK ACE is used by your Windows clients. I always set Windows' access protection from ADMIN, and VMS/RMS protection from the VMS side, and I don't tinker with one side from the other.

File ownership is seen differently from Windows than from VMS if the "AS only" model is used. AS uses hostmaps to "understand" file ownership for a file with no PWRKS ACE (among other things.)

Using the "Advanced Server and OpenVMS" model adds unnecessary complications (IMHO.)
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.