| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 2485.1 | SWAG: Did they create the old WEBACCESS account too? | IOSG::PYE | Graham - ALL-IN-1 Sorcerer's Apprentice | Fri Jan 24 1997 16:38 | 0 |
| 2485.2 | Check the bits I know about | AIMTEC::ZANIEWSKI_D | Taking bids on Andrew's Alphatraz cell | Fri Jan 24 1997 17:43 | 10 |
| From character cell ALL-IN-1, anybody with VMS privileges to read
the user ACCESS.DAT files will be able to see the drawer names.
Make sure the VMS account you are using has TMPMBX and NETMBX,
no more. Also ensure that all the ACCESS.DAT files are set for
only S:RWED, O:RWED.
If you can still browse the drawers then its probably a FCS or AWI
problem.
Dave Zaniewski
|
| 2485.3 | No | VAXRIO::63011::VAXRIO::ALCIDES | Technical Sales Support | Fri Jan 24 1997 19:06 | 4 |
| Re .1
No, they didn't.
Is it necessary?
|
| 2485.4 | Protection/privileges are OK (I think) | VAXRIO::63011::VAXRIO::ALCIDES | Technical Sales Support | Mon Jan 27 1997 19:14 | 7 |
| I visited the customer site today and checked that:
WEB$ACCESS has only NETMBX and TMPMBX privileges
WEB$ACCESS has UIC group number 20 (not a system group)
All ACCESS.DAT files have only System and Owner access (RWED)
What more could I check there?
|
| 2485.5 | Sorry, that shouldbe OA$ANONYMOUS | IOSG::PYE | Graham - ALL-IN-1 Sorcerer's Apprentice | Tue Jan 28 1997 09:16 | 7 |
| RE .1, .3
The account I was thinking of was the OA$ANONYMOUS account that was
used with V3.1 systems. If that account is on the system, it allows
access to all WORLD drawers unconditionally, and I think it overrides
the more specific access control that was added with the WEB$ACCESS
account in V3.2.
|
| 2485.6 | Solved ... | VAXRIO::63011::VAXRIO::ALCIDES | Technical Sales Support | Tue Jan 28 1997 17:57 | 20 |
| I got it!
The customer had created WEB$ACCESS account with UIC group 10 (system group).
That's why they allways get access to any shared drawer from Netscape browser.
Well, after changing the UIC group to 20, we found a different problem: Even
with READ access to a shared drawer, WEB$ACCESS could not get access to it! I
solved the problem creating an ACE for WEB$ACCESS with READ access to
ALLIN1.DIR as well. The VMS protection for ALLIN1.DIR is
(S:RWE,O:RWE,G:E,W:E).
So, I had to do it in two steps.
That's strange, because another ALL-IN-1 user can access a shared drawer
without an explicit ACE with READ access to ALLIN1.DIR
Can anyone explain it to me?
Alcides
|
| 2485.7 | Ought to be documented | IOSG::PYE | Graham - ALL-IN-1 Sorcerer's Apprentice | Wed Jan 29 1997 08:56 | 20 |
| <<<< The customer had created WEB$ACCESS account with UIC group 10
<<<< (system group)
I would say that was worthy of being bugged, so that at the very least
it's documented that you don't do that!
I can't obviously think where we could put code to stop you doing that,
unless we put some special case code in Create User....
<<<< Even with READ access to a shared drawer, WEB$ACCESS could not get
<<<< access to it! I solved the problem creating an ACE for WEB$ACCESS
<<<< with READ access to ALLIN1.DIR as well.
You certainly shouldn't need to do that. I would repeat the tests with
a different user, preferably one that you have just created, to make
sure that the File Cabinet Server didn't have the old access cached, or
something like that.
Also check that there is System:RWE and W:E access all the way down the
drectory tree.
|
| 2485.8 | | VAXRIO::63011::VAXRIO::ALCIDES | Technical Sales Support | Wed Jan 29 1997 11:58 | 6 |
| When the customer created the template for WEB$ACCESS account, he selected a
UIC group 10. Maybe fixing a default with a higher number would prevent
problems.
The VMS protection (S:RWE,O:RWE,G:E,W:E) is OK. I'll check the environment
with care.
|
| 2485.9 | | IOSG::PYE | Graham - ALL-IN-1 Sorcerer's Apprentice | Thu Jan 30 1997 08:49 | 2 |
| I've raised a low priority bug about the WEB$ACCESS account's UIC, but
don't hold your breath for a fix. It might only be documented.
|