Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Advance Server ACL Protection Policy

 
SOLVED
Go to solution
Robert Atkinson
Respected Contributor

Advance Server ACL Protection Policy

I'm trying to cleanup and rationalise the security on our Advance Server shared directories.

From the VMS side, I'm going to make the individual users the owners of the directories and files.

So that PWRK can access the data, I've set an ACL on the directories as :-

(IDENTIFIER=[PWRK$DEFAULT],ACCESS=READ+WRITE+EXECUTE)

The issue I can see is that when PWRK creates a file from the Windows side, it will be the owner, so the user won't be able to control the file.

What I'm looking for is a working example of how to set this sort of security up.

Thanks, Rob.
14 REPLIES
Karl Rohwedder
Honored Contributor

Re: Advance Server ACL Protection Policy

What version are involved?

Do you have for each Windows-users a corresponding VMS user or are you using hostmaps?

regards Kalle
Karl Rohwedder
Honored Contributor

Re: Advance Server ACL Protection Policy

Just made a small test:
- VMS is PDC in domain DS10
- VMS user: KALLE, Domain user KALLE
- no hostmap

creating a testfile leads to PRWK$DEFAULT as owner

- adding a hostmap: addhostmap kalle kalle

creating a testfile leads to KALLE as owner


regards Kalle
Robert Atkinson
Respected Contributor

Re: Advance Server ACL Protection Policy

I've never come across 'hostmap' before, but looks like it could be very useful.

Rob.
Brad McCusker
Respected Contributor

Re: Advance Server ACL Protection Policy

Robert,

As Karl said, hostmaps should do what you want. It's been a while for me, but some high level things that might help you understand what's going on:

Two relevant types of Account Mapping:

Implicit mapping is the default but it is configurable. Implicit host mapping is established when there is an exact match between the Windows NT user name and the OpenVMS user name. This behavior is controlled by the Registry parameter HOSTMAPUSEVMSNAMES. Implicit mapping takes the lowest precedence.

Explicit mapping takes the highest precedence and occurs when you specifically set a hostmap using the ADMINISTER command ADD HOSTMAP:
$ ADMIN ADD HOSTMAP .

These are the relationships that are stored in the LSA database. If I recall correctly, there is a pre-defined explictit mapping of Guest to PWRK$GUEST. The use of explicit hostmaps is controlled by the parameter HOSTMAPUSEDATABASE in the Registry.


If there is no explicit setting and no implicit match, then the HOSTMAPDEFAULT registry parameter takes effect. The default setting for that parameter indicates that the OpenVMS user account PWRK$DEFAULT is used.

I think there are other registry parameters that allow you to fine tune all of this. I know there is one or more related to trusts and which domains you allow implicit maps from.

This is a high level synopsis. It's been 5 years now since I was the project leader for Advanced Server Engineering. I make no promises that I've remembered this stuff completely or accurately. In other words, it might be a good idea to find the documentation that talks about this stuff and read up on it before you go much further.

And of course, if you have more questions, ask away...

Best Regards,

Brad McCusker
Software Concepts International
www.sciinc.com

Brad McCusker
Software Concepts International
Robert Atkinson
Respected Contributor

Re: Advance Server ACL Protection Policy

Brad, found the notes for the INI settings, and your info is still accurate.

Assuming I'm going to use hostmapping, and the files will be owned and created by the end user, do I need to give PWRK$DEFAULT access to the directories, or does PWRK run with SYSPRV/BYPASS?

If PWRK does need a specific ACL, what's the best way to ensure this is propogated down to new files/directories?

Thanks, Rob.
Karl Rohwedder
Honored Contributor

Re: Advance Server ACL Protection Policy

Robert,

doe LMSRV process runs with a lot of privs, including BYPASS.

regards Kalle
Robert Atkinson
Respected Contributor

Re: Advance Server ACL Protection Policy

I've been testing hostmap out, but there's a problem with the default directory permissions :-

Directory OPS$DATA:[000000]

ROBERT.DIR;1 65/725 20-MAR-2001 09:30:51.03 [SYSOPER,RAA] (RWE,RWE,E,)
(DEFAULT_PROTECTION,SYSTEM:RWE,OWNER:RWE,GROUP:E,WORLD:)

Directory OPS$DATA:[ROBERT]

AA.DIR;1 1/145 5-NOV-2007 13:38:21.95 [SYSOPER,RAA] (RWED,RWED,RWED,RE)
(DEFAULT_PROTECTION,SYSTEM:RWE,OWNER:RWE,GROUP:E,WORLD:)

Directory OPS$DATA:[ROBERT.AA]

BB.DIR;1 1/145 5-NOV-2007 13:40:16.77 [SYSOPER,RAA] (RWED,RWED,RWED,RE)
(DEFAULT_PROTECTION,SYSTEM:RWE,OWNER:RWE,GROUP:E,WORLD:)
BB__2ETXT.TXT;1 0/0 5-NOV-2007 13:40:23.17 [SYSOPER,RAA] (RWE,RWE,E,)


Files are being created with the correct default protection from the ACL, but directories are created with the system default protection.

I have something niggling in the back of my mind that says there's a special keyword to do ACL protection on directories?

Rob.
Karl Rohwedder
Honored Contributor
Solution

Re: Advance Server ACL Protection Policy

You can specify the directory permissions using ADMIN> MOD SHARE/HOST=DIREC=...

regards Kalle
Doug Phillips
Trusted Contributor

Re: Advance Server ACL Protection Policy

You shouldn't need to "tinker" with the PWRK ACEs from the VMS side because ADMIN does everything you need for your Windows (Adv.Server) shares, and it "understands" what needs to be done.

BYPASS isn't needed because the PWRKS ACEs grant/restrict access from the Adv.Server side. It's no different than setting any other ACE granting specific access to one user (or rights-holder) on an otherwise restricted resource, but the ACE does have specific requirements that are best left up to ADMIN.

The Security Model you select in "ADMIN/CONFIG -> Advanced..." will determine whether or not the other RMS protections are to be considered by the Adv.Server side.

If you use "Advanced Server only" then just the PWRK ACE is used by your Windows clients. I always set Windows' access protection from ADMIN, and VMS/RMS protection from the VMS side, and I don't tinker with one side from the other.

File ownership is seen differently from Windows than from VMS if the "AS only" model is used. AS uses hostmaps to "understand" file ownership for a file with no PWRKS ACE (among other things.)

Using the "Advanced Server and OpenVMS" model adds unnecessary complications (IMHO.)
Robert Atkinson
Respected Contributor

Re: Advance Server ACL Protection Policy

Karl, thanks for that pointer again.

It's amazing how well you think you know a product (been using A/S for 10+ years), and suddenly find out you probably know nothing :)

Anyway, the docs say, "The default RMS directory protection is OWNER:RWED, GROUP:RWED, WORLD:RE."

Do you know if this is globally configurable anywhere, so rather than setting up every directory individually, I can simply change the default. All I really want to do is get rid of the G:D priv.

Rob.
Karl Rohwedder
Honored Contributor

Re: Advance Server ACL Protection Policy

I don't know, if the default can be changed.
A 1st look into the registry using

REGUTL> SHOW PARAM * * /KNOWN

unveils some parameters e.g. DIRPERMS and FILEPERMS, but I don't know if they can be used for that purpose.

regards Kalle
Robert Atkinson
Respected Contributor

Re: Advance Server ACL Protection Policy

Thanks Karl. As this starts to go down the 'unsupported' route, I'll pass this over to our support company to check with HP to see what the official line is.

Thanks for everyone's help on this.

Rob.
Robert Atkinson
Respected Contributor

Re: Advance Server ACL Protection Policy

A point of note on this. AdvSrv does not support the DELETE privilege for directories (and possibly files).

If you specify 'RWE', delete will always be granted as well, as it's implied anytime you specify WRITE.

Looks like I'm not going to be able to automatically remove the DELETE privilege for directories after all.

Rob.
Robert Atkinson
Respected Contributor

Re: Advance Server ACL Protection Policy

Thanks to all who replied.

After taking all of the responses into account, I was able to write a script that could create Advanced Server shares and sub-directories, that have the correct VMS and Windows privilege levels.