|
HP OpenVMS Systemsask the wizard |
|
The Question is: Is there a way, perhaps using ACL's, to grant a user rights to create files in a specified directory, without giving him rights to edit the file? The Answer is :
Certainly. This is a variation on the "Project Directory" documented in
the _OpenVMS Guide to System Security_ section 8.8.1.2. This requires
OpenVMS V6.2 or higher. The following is an example...
First, a resource identifier must be available to own the files. The
OpenVMS Wizard will use the identifier "TRAPDOOR" here, to describe the
function of the directory:
UAF> ADD/IDENTIFIER TRAPDOOR/ATTRIBUTES=RESOURCE
Next, the identifier must be granted to the user(s):
UAF> GRANT/IDENTIFIER TRAPDOOR/ATTRIBUTES=RESOURCE WIZARD
Now create the directory to hold the files, make it owned by the identifier
$ CREATE/DIRECTORY DISK$USERS:[TRAPDOOR]/OWNER=TRAPDOOR
Now add the ACL:
$ SET SECURITY DISK$USERS:[000000]TRAPDOOR.DIR -
_$ /ACL=(-
_$ (DEFAULT_PROTECTION,S:RWED,O:R,G,W),- ! See note 1
_$ (IDENTIFIER=TRAPDOOR,ACCESS=R+W+E),- ! See note 2
_$ (IDENTIFIER=TRAPDOOR,OPTION=DEFAULT,ACCESS=READ),- ! See note 3
_$ (CREATOR,ACCESS=READ)) ! See note 4
note 1: System has full access to files, Group and World have none. This
limits all access to the directory to system and holders of the
TRAPDOOR identifier
note 2: Access to the directory itself allows READ and EXECUTE (which
means holders of the TRAPDOOR identifier can see files in the
directory) and WRITE (which allows them to create new entries)
note 3: Default protection for files in the directory gives only READ
access to holders of TRAPDOOR
note 4: This is the "creator" ACE, again it allows only READ access.
This means that any holder of the TRAPDOOR identifier can create a new
file in this directory. Once the file has been created, the user can
read it, but cannot modify nor delete it. Note that by OpenVMS rules,
the user cannot create a new version of an existing file, as that would
be equivalent to editing or deleting the file.
$ COPY LOGIN.COM [TRAPDOOR]/LOG
%COPY-S-COPIED, DISK$USERS:[WIZARD]LOGIN.COM;7 copied to
DISK$USERS:[TRAPDOOR]LOGIN.COM;7 (2 blocks)
$ COPY LOGIN.COM [TRAPDOOR]/LOG
%COPY-E-OPENOUT, error opening DISK$USERS:[WIZARD]LOGIN.COM;7 as output
-RMS-E-PRV, insufficient privilege or file protection violation
%COPY-W-NOTCOPIED, DISK$USERS:[TRAPDOOR]LOGIN.COM;7 not copied
--
Another alternative would involve the use of DECnet task-to-task or
similar tool, and would have the user trigger a server to copy the file
over into the directory. The user would trigger the server to perform
the specified operation(s), and the server would contain a few simple
checks, and would then (assuming the checks passed) COPY the
user-specified file into the (protected) target directory. The user
would thus be unable to access the directory, and the server can
establish and perform the appropriate file (re)naming as requireed,
and maintain a log of the file submission times, sources, and such.
Discussions of various DCL task-to-task servers are include here in
Ask The Wizard, as well as in documentation available from various
other sources.
|