1748019 Members
4415 Online
108757 Solutions
New Discussion юеВ

Re: Backup question

 
Jimson_1
Frequent Advisor

Backup question

Hi,

When using the BACKUP utility to backup a file to a saveset, is it also possible to backup the file's security profile?

This doesn't appear to happen by default. Instead it takes the default profile of the parent directory.

Anyone know how to do this?
16 REPLIES 16
The Brit
Honored Contributor

Re: Backup question

Hi James,

Using /By_Owner=Original as an "Output Qualifier" will cause the restored files to have the same ownership as the original files, however I dont know if this extends to the protection string. I am pretty sure that "Identifiers" are not propagated.

Dave
Shriniketan Bhagwat
Trusted Contributor

Re: Backup question

Hi JamesP,

Do you mean SUBSYSTEM ACE as security profile of the file?
BACKUP behavior for SUBSYSTEM ACE is as below.

(1) BACKUP saves the SUBSYSTEM ACE in the save set.
(2) BACKUP restores the SUBSYSTEM ACE if the account under which it is being run holds the subsystem identifier.
(3) BACKUP does not restore the SUBSYSTEM ACE if the account under which it is being run does not hold the subsystem identifier, even if the account is privileged.

Regards,
Ketan
P Muralidhar Kini
Honored Contributor

Re: Backup question

Hi,

If you look at the DCL help for BACKUP/BY_OWNER

BACKUP

/BY_OWNER

/BY_OWNER[=[uic]]
/BY_OWNER[=option]

As an input file-selection qualifier, /BY_OWNER causes BACKUP
to process files owned by the specified UIC. Specify the UIC as
octal numbers or in alphanumeric format (in the form [g,m]). Note
that the UIC specification must include the brackets. UIC formats
are described in the OpenVMS User's Manual. If you specify this
qualifier without a UIC, the default UIC is the current process
UIC. If you do not specify this qualifier, BACKUP processes all
files on the volume.

As an output file qualifier, /BY_OWNER redefines the owner UIC
for each file restored during the operation. As an output save-
set qualifier, /BY_OWNER specifies the owner UIC of the save set.
If you omit the /BY_OWNER qualifier, the save set receives the
UIC of the current process. To use /BY_OWNER as an output save-
set qualifier, you must have the SYSPRV user privilege or the UIC
must be your own.


>> Using /By_Owner=Original as an "Output Qualifier"
Yes, thats right. Looks like only the UIC gets propogated and not the
security profile.

Regards,
Murali
Let There Be Rock - AC/DC
Jimson_1
Frequent Advisor

Re: Backup question

Shriniketan,

When I referred to security profile, I meant the protection string and any ACL identifiers.
Shriniketan Bhagwat
Trusted Contributor

Re: Backup question

Hi James,

As the others in the notes replied, you can use /BY_OWNER=ORIGINAL qualifier to restore the files to the same ownership. And with respect to ACL identifier of the file, BACKUP├в s behavior for ACL identifier is same as subsystem ACE as explained in my previous reply. You should use the same account which holds the identifier to restore the file.

Regards,
Ketan
The Brit
Honored Contributor

Re: Backup question

Be aware however, I believe that backup copies the identifier value and not the Identifier name. The system receiving the restore must have the identifiers defined in the UAF, and they must have the same values as the original system.

This does not happen automatically, and doing it manually can be a pain in the proverbial.

On the receiving system, if the identifiers already exist but have the incorrect values, then they need to modified using the

UAF> modify /id /value=
(see help)

if they dont exist, they should be created using

UAF> add /id /value=
(see help)

Dave
Steven Schweda
Honored Contributor

Re: Backup question

It may be worth noting that BACKUP normally
saves these data when creating a save set,
but /INTERCHANGE can stop it. What happens
to these data when the save set is restored
is another question.
Jan van den Ende
Honored Contributor

Re: Backup question

Dave (the Brit) gave essentially the whole story. BACKUP _DOES_ save the (whole) security profile (exception: see Steven's answer). Upon restore, the security profile ONLY gets restored if /BY_OWNER=ORIGINAL (or /OWNER=ORIGINAL, as it used to be called, which still works of course, this being VMS).
And again Dave is right: the NUMERIC value of any identifiers gets restored, and if the restore is to a system that has a different RIGHTSLIST, that may be VERY inconvenient.
That is exactly the reason that we had a really strict protocol for translating alphanumeric names to hex values - implying that whenever any installation generated its own identifier, its value is immediately changed to the value calculated for that name.

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Jon Pinkley
Honored Contributor

Re: Backup question

Shriniketan Bhagwat wrote on Jun 10, 2010 11:39:20 GMT

(1) BACKUP saves the SUBSYSTEM ACE in the save set.
(2) BACKUP restores the SUBSYSTEM ACE if the account under which it is being run holds the subsystem identifier.
(3) BACKUP does not restore the SUBSYSTEM ACE if the account under which it is being run does not hold the subsystem identifier, even if the account is privileged.
----------
Where is this documented? (backup, system security, somewhere else?)

I just tried this and it is true for non-image restores. I don't think it is backup that is doing anything special to limit what can be restored, my guess is that it is the XQP. Using set security/acl gets a similar error if the process is not holding the subsystem identifier.

An image restore can restore these ACLs without any problem. But in this case, the XQP is not involved, as the disk is mounted /foreign.

Summary: Process with all privs but not holding subsystem identifier will get this message when restoring the file to a XQP mounted disk:

OT$ backup test.bck/save [.itrc]/own=orig/ver/log
%BACKUP-I-SSINOTGRANTED, protected subsystem identifier not granted to this account; ACL not modified for ROOT$USERS:[JON.ITRC]TEST.
EXE;10
%BACKUP-S-CREATED, created ROOT$USERS:[JON.ITRC]TEST.EXE;10
%BACKUP-I-STARTVERIFY, starting verification pass at 11-JUN-2010 02:03:57.76
%BACKUP-S-COMPARED, compared ROOT$USERS:[JON.ITRC]TEST.EXE;10
OT$ set security/class=file /acl=(subsystem,ident=JON_TEST$SUBSYSTEM,attr=resource) ROOT$USERS:[JON.ITRC]TEST.EXE;10
%SET-F-WRITEERR, error writing ROOT$USERS:[JON.ITRC]TEST.EXE;10
-SYSTEM-F-SSINOTHELD, protected subsystem identifier not held; ACL not modified
OT$

An image restore will restore the subsystem ACE even if the process does not hold the protected subsystem identifier.

For more details see attachment.

Jon
it depends