1748228 Members
4502 Online
108759 Solutions
New Discussion юеВ

Re: Backup question

 
Jimson_1
Frequent Advisor

Re: Backup question

Hi Guys,

Thanks for all your replies.

I see my problem now.
The parent directory to where I want to restore my file, has an ACE with the SAME IDENTIFIER NAME, but different access types.

So, as one of you mentioned above, the file is restored with this ACE.

If I remove the parent directory's ACE (or change the identifier's name) the file is restored with the original ACE and its access types.

Problem solved.
Thanks.
Shriniketan Bhagwat
Trusted Contributor

Re: Backup question

Hi Jon,

This behavior of BACKUP about ACE is not documented in any document. This is what I found the BACKUP code is doing for non image BACKUP. Yes, image BACKUP will restore entire disk with ACE without any problem since the disk mounted foreign where XQP will not get involved.

James,

Please refer the below link to thank the forum.
http://forums11.itrc.hp.com/service/forums/helptips.do?#33

Regards,
Ketan
Jon Pinkley
Honored Contributor

Re: Backup question

The behavior of the backup /interchange qualifier is not well documented, especially its effect when used on a restore operation. The following can be verified by experiment, and has been true for at least VMS V5 through 8.3.

When /interchange is used to create a save set, the ACLs are not copied into the save set.

When /interchange is used to create (non-save set) files on a disk (either restoring from a save set or when copying files from disk to disk), the /interchange qualifier prevents backup from specifying any protection or ACL, and the RMS default behavior dictates what the protection of the file will be. In other words, the behavior will be similar to COPY, but the file ownership still behaves the same as if /interchange was not used. The file protection mask is determined like copy, i.e. if a previous version of the file exists, then the new version will copy the protection from the previous file version, else if the target directory has a default_protection ACE, then that is used, else the processes RMS default protection is used. If the output file has an ACL, it came from a previous version of the file, or an ACE in the target directory that had options=default .

/interchange has no effect on the owner of the file, as backup always explicitly sets the owner of the created file. The owner will be set to the original owner (if /by_owner=original or /owner=original was specified), the UIC of the process running backup (the default behavior), the owner of the target directory (if /by_owner=parent specified), or a user specified UIC (if /by_owner=[UIC] specified). There is no way to get the behavior of COPY, which will attempt to preserve the ownership of the file, i.e. if there is a previous version of the file, and the process creating the file has the rights to specify this as the owner, then the new version of the file will have the same ownership as the previous version. This behavior is the default RMS behavior, and has been around since either V3 or V4 (I can't remember when it changed, it was a long time ago).

There is no backup /by_owner=rms_default. I really wish that was the default backup behavior, because if a privileged user uses backup to copy to another users directory and does not specify /owner=parent, then it is likely that the owner of the directory will not have the ability to do much with the file. But BACKUP's default behavior is extremely unlikely to change. I do wish there was a way to have backup use the rms_default behavior, as this is usually better than /own=parent.

Jon
it depends
Jon Pinkley
Honored Contributor

Re: Backup question

James,

What evidence do you have that the problem you posed exists, and that the removing an ACL on the target directory had any effect on the ACL of the restored file?

I can't reproduce the "problem" you originally described (backup not restoring the original ACL) unless the /interchange qualifier is used.

But if the /interchange qualifier is used, then the ACL is completely removed, and the only way an ACL will be applied to the restored file is if there is an ACL on the target directory, and that ACL has at least one ACE with the "options=default" attached.

Can you please provide the commands you used, and the version of VMS that was used?

Can you also provide an example of how the parent directory's ACL having an ACE with the same identifier makes any difference?

If you don't respond, we will have to assume that you can't reproduce the problem you were describing and that the ACL had no effect on what backup did.

See attached zip file that has a command procedure (renamed with .txt and a log file) showing the testing I did. The command proceedure should work as is if you want to test it. It will create subdirectories [.itrc1] and [.itrc2] while running.

Jon
it depends
Shriniketan Bhagwat
Trusted Contributor

Re: Backup question

Hi Jon,

BACKUP does not copy the ACL if the /INTERCHANGE qualifier is used. As I said earlier. BACKUP saves ACL in the saveset and to restore the ACL, the account which holds the same identifier should be used. This is applicable for BACKUP copy operation also.

BACKUP copy or restore operation does not apply the ACL of the target directory to the newly copied or restored file. Instead it inherits the all attributes including ACL (if the account which holds the same identifier is used to restore) and other security characteristics from the source file. This is because the file is represented by the attributes of its process and its source. After the BACKUP copy operation the ACL and other security characteristics for the newly created file should be added/modified by the user accordingly.

Regards,
Ketan

Jon Pinkley
Honored Contributor

Re: Backup question

Ketan,

Can you provide an example where holding the identifier is required to copy an ACL with backup, other than when a subsystem identifier is involved?

Jon
it depends
Shriniketan Bhagwat
Trusted Contributor

Re: Backup question

Hi Jon,

I mean account which holds the subsystem identifier as identifier in my previous update. Sorry for not being so clear in the update.

Regards,
Ketan