[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference vaxaxp::vmsnotes

Title:VAX and Alpha VMS
Notice:This is a new VMSnotes, please read note 2.1
Moderator:VAXAXP::BERNARDO
Created:Wed Jan 22 1997
Last Modified:Fri Jun 06 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:703
Total number of notes:3722

454.0. "File protection EXEC only allows READ,WRITE" by NEWVAX::DISNEY (Jim Disney, phone 410-643-5578) Fri Apr 11 1997 11:04

    EXEC only protection on a file allows EXEC, READ, WRITE unless the parent
    directory overrides. Shouldn't file protection override parent
    directory?
T.RTitleUserPersonal
Name		DateLines
454.1Execute Is Often a Subset Of Read...XDELTA::HOFFMANSteve, OpenVMS EngineeringFri Apr 11 1997 11:5822
    "Execute" on a file object is a subset of "read" and is a relatively
    "soft" protection attribute -- in the case of a file containing an
    executable image, one must read the object in order to execute it.

    Depending on the specific type of object -- executable file, queue,
    global section, etc -- involved, various security-relevent actions
    may be taken.  (Execute-only access causes the image activator to
    effectively treat the image as if it were installed, for instance.)

    "Execute" on a directory prohibits wildcard operations on the
    directory.  With "read", one can perform wildcard operations.  In
    either case, one can explicitly reference specific files in the
    directory.

    Realize that files can be directly accessed via FID, completely
    bypassing any directory protection scheme.  In other words, the
    directory protections apply to the filename "namespace", and not
    to the file contents.

    Please see the security manual for details...
454.2ALPHAZ::HARNEYJohn A HarneyFri Apr 11 1997 12:578
re: .0

Also, please consider giving actual examples.

Depending on what you're doing to the file will determine which
protection gets checked, and for what.

\john
454.3AUSS::GARSONDECcharity Program OfficeSun Apr 13 1997 23:2521
re .0
    
>    EXEC only protection on a file allows EXEC, READ, WRITE unless the parent
>    directory overrides.
    
    If I have not misunderstood, this statement is false.
    
    If a file allows only EXECUTE access then attempts to READ it or WRITE
    it will fail.
    
    If you have a counterexample, please provide a log showing relevant
    information (e.g. DIR/SEC on file and all parent directories, SHOW
    PROC, SHOW PROC/PRIV, VMS version, commands used to access file).
    
>     Shouldn't file protection override parent directory?
    
    The protection on the directory affects whether you can find the file
    using the directory. It does not affect what you can do to the file
    once you have found it (with the proviso that some user-level operations
    may attempt to access both the directory and the file and thereby give
    the impression that the two protections are related).
454.4Please forgive .0NEWVAX::DISNEYJim Disney, phone 410-643-5578Wed Apr 16 1997 14:294
    My original note .0 is in fact false. I reported it based on customer 
    input. and in haste, I errantly replicated the problem (must have
    forgotten, to turn off privs). After reading your posts, I tested
    further and found you are right. I apologize for inconveniencing you.