- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Backup question
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-10-2010 03:11 AM
тАО06-10-2010 03:11 AM
Backup question
When using the BACKUP utility to backup a file to a saveset, is it also possible to backup the file's security profile?
This doesn't appear to happen by default. Instead it takes the default profile of the parent directory.
Anyone know how to do this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-10-2010 03:27 AM
тАО06-10-2010 03:27 AM
Re: Backup question
Using /By_Owner=Original as an "Output Qualifier" will cause the restored files to have the same ownership as the original files, however I dont know if this extends to the protection string. I am pretty sure that "Identifiers" are not propagated.
Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-10-2010 03:39 AM
тАО06-10-2010 03:39 AM
Re: Backup question
Do you mean SUBSYSTEM ACE as security profile of the file?
BACKUP behavior for SUBSYSTEM ACE is as below.
(1) BACKUP saves the SUBSYSTEM ACE in the save set.
(2) BACKUP restores the SUBSYSTEM ACE if the account under which it is being run holds the subsystem identifier.
(3) BACKUP does not restore the SUBSYSTEM ACE if the account under which it is being run does not hold the subsystem identifier, even if the account is privileged.
Regards,
Ketan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-10-2010 03:47 AM
тАО06-10-2010 03:47 AM
Re: Backup question
If you look at the DCL help for BACKUP/BY_OWNER
BACKUP
/BY_OWNER
/BY_OWNER[=[uic]]
/BY_OWNER[=option]
As an input file-selection qualifier, /BY_OWNER causes BACKUP
to process files owned by the specified UIC. Specify the UIC as
octal numbers or in alphanumeric format (in the form [g,m]). Note
that the UIC specification must include the brackets. UIC formats
are described in the OpenVMS User's Manual. If you specify this
qualifier without a UIC, the default UIC is the current process
UIC. If you do not specify this qualifier, BACKUP processes all
files on the volume.
As an output file qualifier, /BY_OWNER redefines the owner UIC
for each file restored during the operation. As an output save-
set qualifier, /BY_OWNER specifies the owner UIC of the save set.
If you omit the /BY_OWNER qualifier, the save set receives the
UIC of the current process. To use /BY_OWNER as an output save-
set qualifier, you must have the SYSPRV user privilege or the UIC
must be your own.
>> Using /By_Owner=Original as an "Output Qualifier"
Yes, thats right. Looks like only the UIC gets propogated and not the
security profile.
Regards,
Murali
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-10-2010 04:02 AM
тАО06-10-2010 04:02 AM
Re: Backup question
When I referred to security profile, I meant the protection string and any ACL identifiers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-10-2010 05:51 AM
тАО06-10-2010 05:51 AM
Re: Backup question
As the others in the notes replied, you can use /BY_OWNER=ORIGINAL qualifier to restore the files to the same ownership. And with respect to ACL identifier of the file, BACKUP├в s behavior for ACL identifier is same as subsystem ACE as explained in my previous reply. You should use the same account which holds the identifier to restore the file.
Regards,
Ketan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-10-2010 08:04 AM
тАО06-10-2010 08:04 AM
Re: Backup question
This does not happen automatically, and doing it manually can be a pain in the proverbial.
On the receiving system, if the identifiers already exist but have the incorrect values, then they need to modified using the
UAF> modify /id
(see help)
if they dont exist, they should be created using
UAF> add /id
(see help)
Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-10-2010 10:23 AM
тАО06-10-2010 10:23 AM
Re: Backup question
saves these data when creating a save set,
but /INTERCHANGE can stop it. What happens
to these data when the save set is restored
is another question.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-10-2010 10:45 AM
тАО06-10-2010 10:45 AM
Re: Backup question
And again Dave is right: the NUMERIC value of any identifiers gets restored, and if the restore is to a system that has a different RIGHTSLIST, that may be VERY inconvenient.
That is exactly the reason that we had a really strict protocol for translating alphanumeric names to hex values - implying that whenever any installation generated its own identifier, its value is immediately changed to the value calculated for that name.
hth
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-11-2010 12:01 AM
тАО06-11-2010 12:01 AM
Re: Backup question
(1) BACKUP saves the SUBSYSTEM ACE in the save set.
(2) BACKUP restores the SUBSYSTEM ACE if the account under which it is being run holds the subsystem identifier.
(3) BACKUP does not restore the SUBSYSTEM ACE if the account under which it is being run does not hold the subsystem identifier, even if the account is privileged.
----------
Where is this documented? (backup, system security, somewhere else?)
I just tried this and it is true for non-image restores. I don't think it is backup that is doing anything special to limit what can be restored, my guess is that it is the XQP. Using set security/acl gets a similar error if the process is not holding the subsystem identifier.
An image restore can restore these ACLs without any problem. But in this case, the XQP is not involved, as the disk is mounted /foreign.
Summary: Process with all privs but not holding subsystem identifier will get this message when restoring the file to a XQP mounted disk:
OT$ backup test.bck/save [.itrc]/own=orig/ver/log
%BACKUP-I-SSINOTGRANTED, protected subsystem identifier not granted to this account; ACL not modified for ROOT$USERS:[JON.ITRC]TEST.
EXE;10
%BACKUP-S-CREATED, created ROOT$USERS:[JON.ITRC]TEST.EXE;10
%BACKUP-I-STARTVERIFY, starting verification pass at 11-JUN-2010 02:03:57.76
%BACKUP-S-COMPARED, compared ROOT$USERS:[JON.ITRC]TEST.EXE;10
OT$ set security/class=file /acl=(subsystem,ident=JON_TEST$SUBSYSTEM,attr=resource) ROOT$USERS:[JON.ITRC]TEST.EXE;10
%SET-F-WRITEERR, error writing ROOT$USERS:[JON.ITRC]TEST.EXE;10
-SYSTEM-F-SSINOTHELD, protected subsystem identifier not held; ACL not modified
OT$
An image restore will restore the subsystem ACE even if the process does not hold the protected subsystem identifier.
For more details see attachment.
Jon