- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Another ACL question
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-01-2008 02:03 PM
тАО05-01-2008 02:03 PM
Another ACL question
Is it possible to set ACLs on a directory in such a way that an unprivileged process can create files in the directory, but once having done so, can no longer actually access those files? Setting a DEFAULT_PROTECTION ACL entry with S:RW,O,G,W protection sort of works, in that the file is created with that protection and the owner cannot access it, but the file is created as owned by the creator who can issue a $ SET PROTECTION on the file.
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-01-2008 03:48 PM
тАО05-01-2008 03:48 PM
Re: Another ACL question
I'm not sure if you can allow creation but deny listing the directory. For captive users you may be able to do something clever with a dynamic resource identifier. Enable it when they need to create files, and disable at other times. Use ACE order to explicitly allow or explicitly disallow access.
>Is it possible to set ACLs on a directory
>in such a way that an unprivileged process
>can create files in the directory, but
>once having done so, can no longer
>actually access those files?
Yes. It's done using a "project directory" owned by a resource identifier. The files end up being owned by the identifier, not the user that created them. There's a weird entity called the "creator ACE" which you can set to deny access.
Work through the example in the Guide to OpenVMS System Security. Get it working first, and then adjust to your needs. Look for "Project Account" in the index (I used to be able to say it was section 5.3.5.3, but now they've removed section numbers, I have trouble finding anything in the GOVSS :-(
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-02-2008 01:11 AM
тАО05-02-2008 01:11 AM
Re: Another ACL question
http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/00/00/78-con.html#resource-id-setup
and follow the references
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-02-2008 09:06 AM
тАО05-02-2008 09:06 AM
Re: Another ACL question
In general, this looks similar to a common and typical scholastic project submission sequence -- homework assignments, class projects, et al -- and the topic was commonly discussed back when OpenVMS was more widely used in schools and colleges.
Resource identifiers and subsystem identifiers are the usual approach, whether directly or through a small image that controls the submission.
OpenVMS in the guise of its SEVMS variant had an explicit sequence for upgrading information security sensitivity settings, but I digress.
DECnet or IP task-to-task -- built in DCL or otherwise -- can also be used, where the client tosses the filename at the server, and the server (operating privileged) copies in the file under an application-appropriate name and related processing.
Depending on the particular application, I'd probably also look to using a web server and uploading files that way, too.
The filename collisions and such were a common second-level error in the school tools, too, when a half-dozen folks all named their submission file HOMEWORK.TXT or such and an errant tool dutifully clobbered the previous version.
Directory protections are also a somewhat soft protection. The file itself (also) needs to be protected against access, or a brute-force attack is feasible.
I'd be surprised if there were not some similar tools still around -- the (old) Freeware package Cerberus comes to mind here, as does the execsymb package. Most cases of this problem have been solved before, after all.
Stephen Hoffman
HoffmanLabs LLC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-04-2008 03:26 PM
тАО05-04-2008 03:26 PM
Re: Another ACL question
>files in the directory, but once having
>done so, can no longer actually access
>those files?
Another (simpler?) way of looking at this operation... use MAIL:
$ MAIL file TRAPDOOR
If you run DELIVER, or a periodic script at the other end, you can automate extracting the files. This will allow you to make the target directory completely invisible to the senders, and resolve issues like filename clashes as raised by Hoff.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2008 02:18 PM
тАО05-06-2008 02:18 PM
Re: Another ACL question
Fast forward to a few weeks ago when someone asked me about something similar and I related my story how VMS tried to defeat my efforts. I didn't try having identifiers owning files.
For my original exercise, the files were created using FTP and better solutions like email or web access didn't apply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-06-2008 02:19 PM
тАО05-06-2008 02:19 PM