Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!watmath!clyde!caip!nike!ucbcad!ucbvax!CSNET-RELAY.ARPA!HELLER%cs.umass.edu From: HELLER%cs.umass.edu@CSNET-RELAY.ARPA (Stride 440 User) Newsgroups: mod.computers.vax Subject: RE: VMS: LP11s and file security Message-ID: <8608162331.AA12523@ucbvax.Berkeley.EDU> Date: Fri, 15-Aug-86 10:48:00 EDT Article-I.D.: ucbvax.8608162331.AA12523 Posted: Fri Aug 15 10:48:00 1986 Date-Received: Sun, 17-Aug-86 09:40:40 EDT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The ARPA Internet Lines: 62 Approved: info-vax@sri-kl.arpa >From: McGuire_Ed%GRINNELL.Mailnet@MIT-MULTICS.ARPA >Subj: VMS: questions about LP11s and file security > >Any ideas about the following problem would be most appreciated! > >We have some disks on our cluster that are mounted /SYSTEM on some nodes but >not mounted at all on others. This is so that files on these "sensitive data >disks" cannot be accidentally made available to students, who have accounts on >nodes where the disks in question are not mounted. > >Our two LP11 printer controllers are currently installed in two 750s on the >cluster. When printing files, the disks where the files reside must be mounted >on the 750s for the print symbionts to open them. Therefore, the sensitive >disks have been available from these nodes. > >Soon we will be authorizing students on the 750s. We wish to discontinue >mounting the sensitive disks on the 750s. This has been a very easy way to >protect that data. Unfortunately, the print symbionts would not be able to >print files on the sensitive disks if we did this. > >Our alternatives, as I see them, are to leave the disks mounted or to move the >printer controllers. But if we leave the disks mounted, we need a different >security mechanism for those disks that is as easy to maintain and as efficient >as our current method. But we have no secure system to move our LP11s to >except one of our 8600s, and I've heard horror stories about performance of >8600s when LP11s are active on the UNIBUS. There is a possibly easy solution to this question. It is to create a rights identifier for the sensitive data (posible several identifiers if the data can be reasonably compartmentalized (ie SECURE_ACCOUNTING for accounting info and SECURE_GRADES for grades, etc.) and add this (these) identifier(s) to the rightslist DB for the "authorized personal" and not to the students. Then set the ownership of the root directories (or maybe sub-directories) to the appropriate identifier and world protection to zip (it does not really matter what the protection is on the files and subdirecteries is, since if one can't access the root, then the whole tree is inaccessable). You can then leave the disks mounted /SYSTEM on any node, whether there are students on that node or not. An alternitive is to use group UIC's - put the accounting people in one group and make all of their root files owned by some group member with world protection set to zip. Of course if there is group overlap this won't work. The rightslist identifiers in effect create "super groups" - everybody with identifier XXX are in the group XXX and can get at any file owned by identifier XXX. People who don't have identifier XXX can only touch files owned by XXX if the world protection lets them. (Of course people with SYSPRV or a system UIC can access files based upon system protection, but I am assuming you aren't giving students SYSPRV or system UICs!) I don't know anything about LP11's and 8600 UNIBUS's (I am mainly a software person), but you would probably do better if you leave the LP11's on the 750's since if the 8600 goes down, you can give access to the 750's to the people who need to keep working (maybe kicking the students off for the duration of the "emergency" or reducing their hours to non-prime time, etc.). Robert Heller ARPAnet: Heller@UMass-CS.CSNET BITNET: Heller@UMass.BITNET BIX: heller GEnie: rheller