R. D. Taylor Inc., a company specializing in building supplies,decides to set up a protected subsystem for its purchasing and accountspayable departments. Although the departments are in different partsof the company, they share a common database for recording purchasesfrom suppliers.
When the company's inventory drops below the desired level,the purchasing department is directed to order required supplies.Purchasing personnel find suppliers (if necessary), assign purchaseorder numbers, and issue a purchase orders.
When the goods arrive, the receiving and quality control departmentscheck the contents against what was ordered, ensure the goods meetquality standards, and put the goods into inventory. Once the shipmentis processed, the information goes to the accounts payable department,which settles the invoices.
Administrators in the accounts payable department check theinvoices against purchase orders and run a payments program to calculatethe monies due to suppliers each week. Payments are recorded ina database, and checks are printed on a printer loaded with companychecks.
Using the subsystem lets the company meet two objectives:
It gives purchasing personnel theright to reference or record purchase orders in the company database, andit gives personnel in the accounts payable department the rightto verify suppliers' invoices. Purchasing personnel with these taskshold the SUPPLIERS_ORDERS identifier. Accounts payable personnelhold the ACCOUNTS_PAYABLE identifier.
These employees run ORDERS.EXE to update the supplier information.The program stores data in ORDERS.DAT.
It gives trusted administrators in the accountspayable department the right to update databases, calculate paymentsdue, and print checks. (One printer, loaded with company checks,is used for this purpose.) These administrators hold the ACCOUNTS_PAYABLEidentifier.
The administrators run PAYMENTS.EXE to perform these tasks.The program records payments made in the data file PAYMENTS.DAT.
Figure 2 Directory Structure of the Taylor Company'sSubsystem
Protectingthe Top-Level Directory
McGrey implements a directory structure in which users cangain access to the subsystem only by holding an appropriate identifier:purchasing personnel hold the identifier SUPPLIERS_ORDERS, and theaccounts payable administrators hold the identifier ACCOUNTS_PAYABLE.As subsystem manager, McGrey holds the identifier SUPPLIERS_SUBSYSTEM.
The top-level directory SUPPLIERS_SUBSYSTEM.DIR has the protectionshown in the following example.
Directory SYS$SYSDEVICE:[000000]SUPPLIERS_SUBSYSTEM.DIR;1SUPPLIERS_SUBSYSTEM (RWE,RWE,,)[1](CREATOR,ACCESS=NONE)[2](DEFAULT_PROTECTION,SYSTEM:RWED,OWNER:RWED,GROUP:,WORLD:)[3](IDENTIFIER=SUPPLIERS_SUBSYSTEM,ACCESS=READ+WRITE+CONTROL)[4](IDENTIFIER=SUPPLIERS_ORDERS,ACCESS=EXECUTE)[5](IDENTIFIER=ACCOUNTS_PAYABLE,ACCESS=EXECUTE)[6](IDENTIFIER=*,ACCESS=NONE)[7](IDENTIFIER=SUPPLIERS_SUBSYSTEM, OPTIONS=DEFAULT,ACCESS=READ+WRITE+CONTROL)[8](IDENTIFIER=SUPPLIERS_ORDERS,OPTIONS=DEFAULT,ACCESS=EXECUTE)(IDENTIFIER=ACCOUNTS_PAYABLE,OPTIONS=DEFAULT,ACCESS=EXECUTE)(IDENTIFIER=*,OPTIONS=DEFAULT,ACCESS=NONE)Total of 1 file.
The directory's protection code givesread, write, and execute access to users in the system and owner categoriesbut no access to group or world users. Therefore, group and worldusers have to gain access through the ACL.
A Default Protection ACE denies group and worldusers access to files created in directory.
McGrey holds the subsystem identifier SUPPLIERS_SUBSYSTEM.This ACE gives McGrey read, write, and control access so McGreycan manage the subsystem directories and images.
Holders of the SUPPIERS_ORDERS identifier have executeaccess so they can access files in subdirectories.
Holders of the ACCOUNTS_PAYABLE identifier haveexecute access so they can access files in subdirectories.
Users holding any other identifiers have no access.
McGrey added the Default attribute to all IdentifierACEs and includes them here so all Identifier ACEs are propagatedto subdirectory ACLs.
Protecting Subsystem Directories
The directory EXE.DIR has the same protection as the top-leveldirectory because subsystem users need to access the subsystem images:ORDERS.EXE and PAYMENTS.EXE. The other directory, LIB.DIR, is more restrictedbecause only the subsystem images and McGrey need access.
Example 3 Protectionof SYS$SYSDEVICE:[SUPPLIERS_SUBSYSTEM]
[SUPPLIERS_SUBSYSTEM.EXE] has the sameprotection code and ACL as the parent directory shown in Protecting the Top-Level Directory. Subsystem users need to run programsstored in this directory.
[SUPPLIERS_SUBSYSTEM.LIB] has the same protectioncode but a more restrictive ACL because only the subsystem managerand the subsystem images need access.
Protecting the Images and Data Files
As the following example shows, the necessary company personnelcan access the subsystem's images, ORDERS.EXE and PAYMENTS.EXE,but only the images can update the data files.
Example 4 Accessto Subsystem's Images ORDERS.EXE and PAYMENTS.EXE
Directory SYS$SYSDEVICE:[SUPPLIERS_SUBSYSTEM.EXE]ORDERS.EXE;1 SUPPLIERS_SUBSYSTEM (RWED,RWED,,)[1](SUBSYSTEM,IDENTIFIER=SUPPLIERS_SUBSYSTEM, ATTRIBUTES=RESOURCE)(IDENTIFIER=SUPPLIERS_SUBSYSTEM, ACCESS=READ+WRITE+CONTROL)(IDENTIFIER=ACCOUNTS_PAYABLE,ACCESS=EXECUTE)(IDENTIFIER=*,ACCESS=NONE)PAYMENTS.EXE;1 SUPPLIERS_SUBSYSTEM (RWED,RWED,,)[2]SUBSYSTEM,IDENTIFIER=SUPPLIERS_SUBSYSTEM, ATTRIBUTES=RESOURCE)(IDENTIFIER=SUPPLIERS_SUBSYSTEM, ACCESS=READ+WRITE+CONTROL)(IDENTIFIER=ACCOUNTS_PAYABLE,ACCESS=EXECUTE)(IDENTIFIER=*,ACCESS=NONE)Total of 2 files.Directory SYS$SYSDEVICE:[SUPPLIERS_SUBSYSTEM.LIB][3]ORDERS.DAT;1 SUPPLIERS_SUBSYSTEM (RWED,RWED,,)(IDENTIFIER=SUPPLIERS_SUBSYSTEM, ACCESS=READ+WRITE)(IDENTIFIER=*,ACCESS=NONE)PAYMENTS.DAT;1 SUPPLIERS_SUBSYSTEM (RWED,RWED,,)(IDENTIFIER=SUPPLIERS_SUBSYSTEM, ACCESS=READ+WRITE)(IDENTIFIER=*,ACCESS=NONE)Total of 2 files.Grand total of 3 directories, 6 files.
All subsystem users, those holdingthe SUPPLIERS_ORDERS or ACCOUNTS_PAYABLE identifier, can run ORDERS.EXE.
Only subsystem images and holders of the ACCOUNTS_PAYABLEidentifier can run PAYMENTS.EXE.
The data files for the subsystem reside in [SUPPLIERS_SUBSYSTEM.LIB].Only the subsystem images and McGrey can access them.
Protecting the Printer
The print queue for checks needs equal protection. Accessis restricted to trusted administrators because they are the onlyones who hold both the subsystem and the ACCOUNTS_PAYABLE identifiers. Queue Protection shows that thequeue is protected in such a way that only the trusted administratorscan queue jobs to the printer:
Example 5 Queue Protection
$ SHOW SECURITY/CLASS=QUEUE TTA1
TTA1 object of class QUEUE Owner: [SYSTEM] Protection: (System: M, Owner: D, Group, World) Access Control List: (IDENTIFIER=SUPPLIERS_SUBSYSTEM+ACCOUNTS_PAYABLE,- ACCESS=READ+SUBMIT+MANAGE+DELETE) (IDENTIFIER=*,ACCESS=NONE)
$ SET NOON$ OLD_PRIV = F$SETPRV("NOALL,SYSPRV,CMKRNL,OPER")$ OLD_DEFAULT = F$ENVIRONMENT("DEFAULT")$$ ON CONTROL_Y THEN GOTO LEAVE$$ IF P1 .EQS. "REMOVE" THEN GOTO CLEANUP$ IF P1 .EQS. "VERIFY" THEN SET VERIFY$!$! Create the subsystem identifier and the identifiers for personnel$! performing two different tasks.$!$ SET DEFAULT SYS$SYSTEM$ RUN AUTHORIZEADD/IDENTIFIER SUPPLIERS_SUBSYSTEM/ATTRIBUTES=(RESOURCE,SUBSYSTEM)ADD/IDENTIFIER SUPPLIERS_ORDERSADD/IDENTIFIER ACCOUNTS_PAYABLE!! Grant the subsystem identifier to the subsystem manager: McGrey.!GRANT/IDENTIFIER SUPPLIERS_SUBSYSTEM MCGREY/ATTRIBUTE=(RESOURCE,SUBSYSTEM)$!$! Set up the print queue. $!$ INITIALIZE/QUEUE/START TTA1$ SET SECURITY/ACL=(- (ID=SUPPLIERS_SUBSYSTEM+ACCOUNTS_PAYABLE,ACCESS=READ+SUBMIT+MANAGE+DELETE), - (ID=*,ACCESS=NONE) )/PROTECTION=(G,W)/CLASS=QUEUE TTA1: $!$! Create the directory root to hold the subsystem.$!$!$! Assume that we logged in as McGrey.$!$ SET RIGHTS_LIST/ENABLE SUPPLIERS_SUBSYSTEM/ATTRIBUTE=(RESOURCE,SUBSYSTEM)$ SET DEFAULT SYS$SYSDEVICE:[SUPPLIERS_SUBSYSTEM]$!$! Create the directories for the images and the data files.$!$ CREATE/DIR [SUPPLIERS_SUBSYSTEM.EXE]/PROTECTION=(G,W)$ CREATE/DIR [SUPPLIERS_SUBSYSTEM.LIB]/PROTECTION=(G,W)$ SET SECURITY/ACL=( (ID=SUPPLIERS_ORDERS,ACCESS=EXECUTE), - (ID=ACCOUNTS_PAYABLE,ACCESS=EXECUTE), - (ID=SUPPLIERS_ORDERS,OPTIONS=DEFAULT,ACCESS=EXECUTE), - (ID=ACCOUNTS_PAYABLE,OPTIONS=DEFAULT,ACCESS=EXECUTE) )/DELETE - [SUPPLIERS_SUBSYSTEM]LIB.DIR$!$! Emulate the creation of the subsystem images.$!$ SET DEFAULT [.EXE]$ CREATE ORDERS.MAR .ENTRY START,0 $setpri_s pri=#010$: BRB 10$ ret .END START$ MACRO ORDERS$ LINK ORDERS$ SET SECURITY/PROTECTION=(W:RWED) ORDERS.MAR;*,.OBJ;*$ DELETE ORDERS.MAR;*,.OBJ;*$ COPY ORDERS.EXE PAYMENTS.EXE$!$! Apply the appropriate protection to the images.$!$ SET SECURITY/ACL=(ID=SUPPLIERS_ORDERS,ACCESS=EXECUTE)/DELETE PAYMENTS.EXE$ SET SECURITY/ACL=(SUBSYSTEM,ID=SUPPLIERS_SUBSYSTEM,ATTRIBUTES=RESOURCE) ORDERS.EXE$ SET SECURITY/ACL=(SUBSYSTEM,ID=SUPPLIERS_SUBSYSTEM,ATTRIBUTES=RESOURCE) PAYMENTS.EXE$!$! Create and protect the data files used by the applications.$!$ SET DEFAULT [-.LIB]$ CREATE ORDERS.DAT$ CREATE PAYMENTS.DAT$ SET SECURITY/ACL=( (ID=SUPPLIERS_SUBSYSTEM,ACCESS=READ+WRITE), - (ID=*,ACCESS=NONE) ) ORDERS.DAT$ SET SECURITY/LIKE=(NAME=ORDERS.DAT) PAYMENTS.DAT$!$! Show the directory structure and the queue protection.$!$ SET DEFAULT 'OLD_DEFAULT'$ DEFINE SYS$OUTPUT SUBSYS.LIS$ DIRECTORY/SECURITY SYS$SYSDEVICE:[000000]SUPPLIERS_SUBSYSTEM.DIR$ DIRECTORY/SECURITY SYS$SYSDEVICE:[SUPPLIERS_SUBSYSTEM...] $ SHOW SECURITY/CLASS=QUEUE TTA1 $ DEASSIGN SYS$OUTPUT$$ LEAVE:$ IF P1 .EQS. "VERIFY" THEN SET NOVERIFY$ SET DEFAULT 'OLD_DEFAULT'$ SET PROC/PRIV=('OLD_PRIV')$ EXIT$$ CLEANUP:$ SET PROC/PRIV=BYPASS$ SET DEFAULT SYS$SYSDEVICE:[000000]$ DELETE [SUPPLIERS_SUBSYSTEM...]*.*.*$ DELETE [SUPPLIERS_SUBSYSTEM]EXE.DIR;$ DELETE [SUPPLIERS_SUBSYSTEM]LIB.DIR;$ DELETE SUPPLIERS_SUBSYSTEM.DIR;$ STOP/QUE/NEXT TTA1$ DELETE/QUEUE TTA1$ GOTO LEAVE