Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.3 4.3bsd-beta 6/6/85; site ucbvax.BERKELEY.EDU Path: utzoo!decvax!bellcore!ulysses!cbosgd!ucbvax!CITHEX.CALTECH.EDU!carl From: carl@CITHEX.CALTECH.EDU (Carl J Lydick) Newsgroups: mod.computers.vax Subject: RE: VMS: LP11s and file security Message-ID: <860817113616.008@CitHex.Caltech.Edu> Date: Sun, 17-Aug-86 14:36:43 EDT Article-I.D.: CitHex.860817113616.008 Posted: Sun Aug 17 14:36:43 1986 Date-Received: Tue, 19-Aug-86 00:43:28 EDT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The ARPA Internet Lines: 22 Approved: info-vax@sri-kl.arpa > >Subj: VMS: questions about LP11s and file security I find it hard to believe that not one, but several people, have submitted 'solutions' to this problem without bothering to see if they had the slightest chance of working. In particular, the one fallacious assumption that seems to be more common than I would have believed is that: "it does not really matter what the protection is on the files and subdirecteries is, since if one can't access the root, then the whole tree is inaccessable". This assumption has turned up in two separate submissions, and it points out the crying need for some documentation on how a FILES-11 ODS works, and how RMS deals with one. You DO NOT have to have access to the MFD (master file directory, not "root") in order to access the rest of the files on the disk, unless they all reside in the MFD. In order to protect all the files on the disk, you would have to set an acl on every directory on the disk. And besides, there's a much more straightforward way of doing this: $ SET ACL/OBJECT_TYPE=DEVICE/ACL=(ace,....) device_name Sets an acl not on the files, but on the device itself. Thus, there need be only one ACL checked per channel assignment to the disk; you don't have to hope that nobody makes a good guess as to the names of the user-file directories on the disk and therefore gets access to the files without access to the MFD, and if you want to change your policy regarding access, there's only one ACL that has to be modified.