Trailing-Edge
-
PDP-10 Archives
-
AP-D543V_SB
-
fld1.doc
There is 1 other file named fld1.doc in the archive. Click here to see a list.
FILDAE.DOC -- V1(16)
February 1977
Copyright (C) 1976,1977
Digital Equipment Corporation, Maynard, Mass.
This software is furnished under a license for use only on a single
computer system and may be copied only with the inclusion of the above
copyright notice. This software, or any other copies thereof, may not
be provided or otherwise made available to any other person except for
use on such system and to one who agrees to these license terms.
Title to and ownership of the software shall at all times remain in
DEC.
The information in this software is subject to change without notice
and should not be construed as a commitment by Digital Equipment
Corporation.
DEC assumes no responsibility for the use or reliability of its
software on equipment which is not supplied by DEC.
FLD1.DOC Page 2
FILDAE.DOC -- V1(16)
February 1977
1.0 SUMMARY
The support for a File Daemon, in the 6.03 Monitor, provides for
extended file protection. The File Daemon described in this .DOC file
is a prototype that you may use to help you in understanding the
monitor support for this feature. The File Daemon is being supplied
to serve as a prototype for the File Daemon you may desire at your
installation. Installations will have varying types of accounting and
file security measures at these installations. Therefore, each
installation's File Daemon may be written to account for these
differences and requirements. The DIGITAL-supplied prototype File
Daemon supports access lists and access logging which is performed on
a user's or a system administrator's request.
1.1 BIBIOGRAPHY
603.MCO lists the monitor changes made to support a File Daemon. In
particular, refer to MCO number 6370 for a description of when the
monitor passes control to the File Daemon.
2.0 EXTERNAL CHANGES (USER INTERFACE)
The File Daemon allows any user to specify who can (and cannot) access
their files. Each user may create a file called ACCESS.USR (which is
described in section 2.2). This file optionally lists the names of
some or all of that user's files and specifies, on an individual file
basis, the users who can and cannot access those files. Under
specific conditions, the File Daemon examines the user's ACCESS.USR
file and may record information regarding specific access requests to
the listed files in a separate file called ACCESS.LOG.
2.1 The File Daemon
The monitor calls the File Daemon (only if the monitor feature test
switch FTFDAE = - 1) each time that someone tries to access a file
that has a 4, 5, 6, or 7 protection code in the owner's protection
code field and the access fails due to a protection error or due to
any protection error because of the directory protection code. For
example, if you protect a file against a specific user and that user
attempts access to your file (e.g., LOOKUP, ENTER, RENAME), the
monitor suspends the execution of the user's program and it sends a
message to the File Daemon. This message includes the type of access
the user is attempting and that user's project-programmer number. The
File Daemon is given control, and it looks for your file called
ACCESS.USR (which must be on the same file structure as the file being
accessed and which should be in the same directory area as the file
FLD1.DOC Page 3
being accessed). After examining ACCESS.USR, the File Daemon returns
to the monitor the highest type of access you have specified that this
user can have to your file and it logs the access request in
ACCESS.LOG (if you set the /LOG switch in your ACCESS.USR). All of
this occurs even when you attempt to access your own file, if that
file has a 4, 5, 6, or 7 protection code in the owner's protection
code field. However, as the file's owner, you can read your file and
change its protection code without having the File Daemon called.
Depending on the information you specified in your ACCESS.USR, the
File Daemon either grants or denies access to the accessing user.
If the monitor attempts to pass control to the File Daemon, but it is
not running, the accessing user is denied access to the file unless
the program has full file access rights ([1,2] or JACCT). The same
result occurs when one of the following conditions occurs:
1. The File Daemon cannot find ACCESS.USR in the same path as
the file to-be-accessed.
2. The File Daemon cannot find ACCESS.USR in a higher-level
directory, when a scan up the directory structure is made.
If the File Daemon finds ACCESS.USR but cannot find the accessed file
name in ACCESS.USR, the File Daemon denies that user access to your
file. Access is also denied to that user if the file name is found in
ACCESS.USR but the accessing user's project-programmer number does not
match any of the project-programmer numbers you have specified that
may have access to your file.
All files listed in your ACCESS.USR are assumed to be in the same UFD
as the file ACCESS.USR. However, if your ACCESS.USR is in your UFD
and describes the type of access to be allowed to files contained in
SFDs the full path to the file in the SFD must be specified before the
File Daemon will consider the file specifications to match. The File
Daemon treats all file accessors the same. All accesses to a file
having a 4, 5, 6, or 7 protection code in the owner's protection code
field cause the File Daemon to be called when a protection error
occurs. The File Daemon is always called when a protection error
occurs as a result of the directory protection code. Because of this
equal treatment, you should note the following:
1. If a [1,2] job attempts to access a file that is protected
such that the File Daemon is called, that job may be denied
access to the file. This is a possible problem, for example,
if the [1,2] job is FAILSA or BACKUP and you have denied
(either implicitly or explicity) these programs access to
your files. When you do this, your file will not be
failsafed. Therefore, you must accept the responsibility for
failsafing your own files.
FLD1.DOC Page 4
2. In general, full file access programs will not be allowed to
read your files. Therefore, under most circumstance, QUEUE
would not be allowed to queue a file that was protected such
that the File Daemon was called.
3. If the file's owner protection code field is such that the
the File Daemon is called and the owner has neglected to
include his own project-programmer number in ACCESS.USR for
this file, the File Daemon grants the owner the same type of
access as if a 7 were in the owner's protection code field
(the owner can only read or change the protection of the
file).
4. ACCESS.USR files may be restored at arbitrary times.
Therefore, a full restore of the disk using BACKUP or FAILSA
should not be done when the File Daemon is running. If such
a full restore is done, the action may not allow
BACKUP/FAILSA to restore files that ACCESS.USR allows them to
backup.
5. The CHKACC UUO will tell a program what a users file access
privileges are. Thus by using CHKACC, a program can tell if
the File Daemon will be called, but the access privileges
returned by the File Daemon are not known.
2.2 ACCESS.USR
Every user can create their own ACCESS.USR file. ACCESS.USR is made
up of one or more 'command lines'. Each 'command line' must be
written in the following format:
file-spec/switches=[ppn]/switches,...,[ppn]/switches
The file-spec is a full file specification (i.e., device:
filename.extension[path]. The File Daemon scans each line of
ACCESS.USR until it matches a file-spec on the left of the equal sign
and a ppn on the right. All access rights will then be determined by
that line (there will be no continued scan). The user should
minimally specify one of the switches synonymous with protection codes
(READ,EXECUTE,ALL,..) for that file-spec. If no switch is specified,
a default of /NONE is provided. The possible switches are listed
below:
Switch Meaning
/LOG - /NOLOG
This switch causes the File Daemon to log any access attempt
in the file ACCESS.LOG. If this switch is specified, a LOG
entry is appended to the end of ACCESS.LOG, which is found in
the same directory as your ACCESS.USR. The log entry
includes the following:
FLD1.DOC Page 5
the date of the access
the time of the access
the job number of the accessing job
the project-programmer number and name
associated with the accessing job
the name of the accessing program
the type of access attempted
the full file specification of the accessed file
the access permitted, detailing whether access was
permitted to the file
If the /EXIT or /CLOSE switch (described below) is also
specified, the following information is also included in the
LOG entry: (both in the initial entry and again when the
file is closed)
the accessing job's run time
kilo-core-seconds
disk reads
disk writes
If the File Daemon cannot find ACCESS.LOG in your area, it
creates one, giving it the same protection code as your
ACCESS.USR. Note that the File Daemon can always access
ACCESS.USR and ACCESS.LOG.
/LOG:SWITCH value
This switch allows conditional logging based on the switch
value. the following are legal switch values:
ALL - log all accesses attempted (same as /LOG).
NONE - do not log accesses (same as /NOLOG).
SUCCESSES - log only those accesses which were permited to
succeed.
FAILURES - log only those accesses which were not permited.
/CLOSE - /NOCLOSE
If the /LOG switch and the /CLOSE switch are specified, the
File Daemon makes the log entry in ACCESS.LOG when the file
is closed.
/EXIT - /NOEXIT
If a program is executing and the /LOG and /EXIT switches
have been specified, the File Daemon makes the log entry when
the program has finished execution.
FLD1.DOC Page 6
/CREATE - /NOCREATE
The /CREATE switch allows a user who would ordinarily not be
allowed to create files in your directory to do so. This
switch is used in conjunction with one of the ACCESS.USR
switches that are synonomous with protection codes (e.g.,
/RENAME). This switch can appear on either side of the equal
sign. An example of a command line with the /CREATE switch
is
WONDER.TST/CREATE/NONE=[*,*]
which allows any user to create WONDER.TST in your directory,
but none of those users may have any other access to that
file. Another example is
WONDER.TST=[10,3333]/CREATE/READ[*,*]/NONE
which prevents all users from accessing the file WONDER.TST,
but allows user [10,3333] to create the file WONDER.TST.
/PROTECTION:nnn
This switch specifies the protection code with which a file
will be created. This switch is allowed only on the left
side of the equal sign. The value nnn must be an octal
number in the range 0-777. The file is created with the
specified protection code if the following conditions occur:
1. The /PROTECTION switch is specified.
2. The File Daemon is called because a user attempts to
create a file in your directory protected against that
user.
3. The File Daemon allows the user to create the file
(determined by the contents of ACCESS.USR).
/PROGRAM:file-spec
This switch allows the specified program to have the
specified type of access to the file. This switch can only
appear on the right side of the equal sign in the command
line. For example:
ONE.TST/READ=[10,10],[10,65]/WRITE,[1,2]/PROGRAM:SYS:BACKUP
where [10,10] jobs can read ONE.TST; [10,65] jobs can read
and write ONE.TST; a job logged in under [1,2] running
BACKUP can read the file. No other users can access ONE.TST.
You may omit the device specification or you may specify DSK:
or ALL: in the file-spec argument to the PROGRAM switch.
FLD1.DOC Page 7
However, this is not a recommended procedure because there
may be potential security violations. The File Daemon has no
knowledge of your search list; therefore, DSK: is treated
identically to ALL:. It is recommended that the device name
be either a file structure name or an ersatz device (LIB: is
not allowed, though).
/XONLY This switch, when it appears in conjunction with the /PROGRAM
switch, will consider the program specified in the file spec
argument to the /PROGRAM switch to match the program doing
the accessing only if this accessing program is execute only.
/ALL ALL access is allowed when this switch is specified.
Specified accessors of this file can change the protection of
the file, rename, write, execute, update, and append to the
file. (This is the same as protection code 0).
/RENAME Rename access is allowed. Specified accessors of this file
can rename, write, read, execute, update, and append to the
file. (This is the same as protection code 1).
/WRITE Write access is allowed. Specified accessors of this file
can write, read, execute, update, and append to the file.
(This is the same as protection code 2).
/UPDATE Update access is allowed. Specified accessors of this file
can update, append, read, or execute the file. (This is the
same as protection code 3).
/APPEND Append access is allowed. Specified accessors of this file
can append, read, or execute the file. (This is the same as
protection 4).
/READ Read access is allowed. Specified accessors of this file can
read or execute the file. (This is the same as protection
code 5).
/EXECUTE Execute access is allowed. Specified accessors of this file
can only execute the file. (This is the same as protection
code 6).
/NONE No access is allowed to the file. (This is the same as
protection code 7).
FLD1.DOC Page 8
ACCESS.USR is used to specify for each file which project-programmer
numbers can access your files and what type of access those accessors
can have to the file. The switches indicate the type of access
allowed.
Switches that appear on the left side of the equal sign affect all
project-programmer numbers appearing on the right side of the equal
sign. However, with the exception of the /PROTECTION switch, the
switch on the left can be overridden for one or more
project-programmer numbers on the right by explicitly specifying
another switch. For example, if the following line appeared in your
ACCESS.USR:
TEST.TST/ALL=[10,*],[11,*],[27,*],[17,*]/NONE
the File Daemon would allow all members of projects 10, 11, and 27 to
have complete access to the file TEST.TST. However, members of
project 17 would be denied access to TEST.TST. For PPN's other than
10, 11, 27, 17, the File Daemon would search for a later TEST.TST
which contained the accessing PPN. If no match is found, the
accessing PPN's request is denied.
Full wild card specifications are allowed both on the left and right
side of the equal sign. Comments and continuation lines are allowed
in ACCESS.USR. A comment on a line or a comment line must begin with
a semicolon or an explanation point. A continuation line is indicated
by inserting a hyphen (minus sign) immediatly proceeding the <CR>
which terminates the current line. If there is a syntax error in a
line in ACCESS.USR, that line is ignored. You should ensure the
accuracy of your own ACCESS.USR files by proofing carefully. If the
following line were in your ACCESS.USR:
FOO.BAR+[*,*]
the line would be ignored because a + sign appeared where an = sign
should have appeared. All users will be denied access to FOO.BAR
since the File Daemon denies access to all files not appearing in
ACCESS.USR. Since the File Daemon ignores the line, it does not know
that FOO.BAR is listed in the file.
EXAMPLE
The following is an example of an ACCESS.USR file which uses most of
the features of the File Daemon.
Directory user = [13,675]
Directory protection = <700>
FLD1.DOC Page 9
File Protection
ACCESS.USR <777>
ACCESS.LOG <777>
F1.TST <077> - File Daemon will not be called.
F2.TST <457> - Project may READ, otherwise call
File Daemon.
F3.TST <477> - only owner may access without File
Daemon.
F4.TST <777> - Call File Daemon on all accesses.
ACCESS.USR
ACCESS.*/NONE=[*,*] ;No one can touch the ACCESS.USR and
ACCESS.LOG including [1,2] and JACCT
users. Note that these files cannot
be backed up if the File Daemon is
running.
ALL:*.*/READ/LOG=[1,2]/PROGRAM:SYS:BACKUP/XONLY
;Allow BACKUP (from SYS, execute
only, and running under [1,2]) to
read file and make LOG entry.
F?.TST/LOG=[10,11]/NONE,[10,*]/EXECUTE/EXIT/CLOSE
;Log Project 10 attempts to use
F1,F2,F3, catch [10,11] and permit no
access. Other project users may
EXECUTE only with additional log
entries to record statistics.
*.*/CREATE/PROTECTION:055=[12,21]/ALL,[12,17]
;[12,21] has privileges for all files
(except ACCESS.*) and may create
files which have a protection of 055.
[12,17] has no access to any file
(/NONE is a default) but may create
files. No log entries will be made.
*.*/CREATE/PROTECTION:777/LOG=[123,456]/NONE
;[123,456] may create files at will
but may not access them (e.g., a
student turning in homework).
*.*[13,675,A]/ALL/PROTECTION:057/CREATE=[1,2]/LOG
;[1,2] has all privileges in this SFD
and may create files with a
protection of 057.
FLD1.DOC Page 10
[13,675].UFD/LOG/READ=[*,*] ;Anyone may read this directory as a
file.
F3.TST/LOG=[12,3]/EXECUTE
*.*/LOG=[12,3]/NONE ;[12,3] may execute F3.TST and
nothing else.
*.*=[*,*]/NONE ;No other access is granted and no
LOG entry is made.
Note that entries are scanned from left to right and top to bottom
with the scan stopping on the first match of file on left of equal
sign and a ppn on the right side of the equal sign. In constructing
the ACCESS.USR file, care should be taken to see that a wild card spec
will not match in a line earlier than a specific spec in a later line.
As a general rule put specific statements first with more general
"catch all's" later. The user is also reminded that if he wants log
entries, he must use the /LOG (any of and /EXIT, /CLOSE, etc.) on
every line for which this is true.
3.0 KNOWN BUGS AND DEFICIENCIES
None.
4.0 INSTALLATION INSTRUCTIONS
Install the File Daemon (FILDAE) on SYS and include the following
sequence of instructions in the OPSER AUTO file (OPR.ATO):
:SLOG 1/2
.R FILDAE
The File Daemon DETACHes itself and runs unattended; therefore, it
does not monopolize an OPSER PTY.
If the File Daemon crashes for any reason, the operator should ATTACH
to the File Daemon job and type the following:
R FILDAE
The operator should not log in another job and run the File Daemon, as
this action will not work.
FLD1.DOC Page 11
5.0 INTERNAL CHANGES
Not applicable for this version.
6.0 SUGGESTIONS
1. LOOKUP ACCESS.USR on the file structure where the file being
accessed resides (this is what is currently done). If this
LOOKUP fails because the file is not found, look it up on DSK
using the SYS: search list.
2. Allow passwords to be specified in ACCESS.USR and ask the
user attempting to access the file for the password before
allowing access.
3. Allow a file specification as an argument to the LOG switch.
4. The 5 series file system defines 17 levels of privileges
which are mapped into the 8 levels of protection which may be
specified in the 3-bit protection field. Have the File
Daemon implement switches which correspond to privileges
rather than the protection code.
5. Implement a mechanism to include or exclude calls to the File
Daemon on a per directory basis. This requires monitor
changes.
[End of FLD1.DOC]