Updated: 11 December 1998 |
OpenVMS Guide to System Security
Previous | Contents | Index |
The profile of clusterwide disks and tapes is stored in the object
database VMS$OBJECTS.DAT, but other object profiles have to be reset
each time the systems starts up.
5.4 Files
A file is a named array of fixed-size (512-byte) data blocks with an associated set of attributes. In OpenVMS systems, the file class include both data files and directory files. The operating system provides full security protection for individual disk files stored on Files-11 On-Disk Structure Level 2 (ODS-2) volumes. Tape files are collectively protected by the protection code on the volume but are not protected on an individual basis.
The file object differs from other protected objects in one important
way: because files provide more flexibility than any other object
class, files do not acquire their profiles from a template.
Section 5.4.5 describes the rules the operating system applies in
assigning a profile.
5.4.1 Naming Rules
A file specification is a string of 1 to 255 characters. See the
OpenVMS User's Manual for a full description.
5.4.2 Types of Access
The file class supports the following types of access:
Read | Gives you the right to read, print, or copy a disk file. With directory files, read access gives you the right to read or list a file and use a file name with wildcard characters to look up files. Read access implies execute access. |
Write | Gives you the right to write to or change the contents of a file but not delete it. Write access allows modification of the file elements that describe the contents of the file. Write access allows creation of a new version of an existing file's primary name. With directory files, write access gives you the right to make or delete an entry in the catalog of files. |
Execute | Gives you the right to execute a file that contains an executable program image or DCL command procedure. With a directory file, execute access gives you the right to look up files whose names you know. |
Delete | Gives you the right to delete a file. To delete a file, you must have delete access to the file and write access to the directory that contains the file. To remove or rename a file's primary name also requires delete access. |
Control |
Gives you the right to change the protection code and ACL. You need to
satisfy one of the following conditions to change the owner:
|
The following conditions apply to file access:
It is possible to access a file by its file identifier. When users do so, they bypass the directory file protection. Therefore, you must not rely entirely on directory file protection to control access to a file. |
Before you can create a file, the operating system checks to see that you have satisfied the following conditions:
The new file obtains its owner, protection code, and ACL from a number
of sources. The ownership assignment of a new file is done
independently of protection and ACL.
5.4.5.1 Rules for Assigning Ownership
If any of the following conditions are true, then you can assign an identifier as the owner of a file:
A file receives its owner identifier from the first applicable source that you are allowed to assign:
See Section 8.8.1.2 for a description of how resource identifiers can own
files and directories.
5.4.5.2 Rules for Assigning a Protection Code and ACL
The sources of a new file's protection code and ACL are similar to those of ownership and are considered in the same order. The system assigns a file's protection code and ACL from one of the following sources:
$ COPY USE1:[PAYDATA]PAYROLL.DAT PAYSORT.DAT - _$ /PROTECTION=(SYSTEM:RW,OWNER:RWED,GROUP:RW,WORLD) |
The output file of a COPY command is treated as a newly created file and so is assigned a new security profile. The security profiles of the input files are immaterial.
However, a renamed file by default retains its existing security profile. To assign a new security profile, as if the file were newly created, use the DCL command RENAME/INHERIT_SECURITY. This causes the file to be assigned a security profile.
Section 5.4.5.1 and Section 5.4.5.2 explain how a security profile is
assigned.
5.4.6 Kinds of Auditing Performed
The following types of events can be audited, provided the security administrator enables auditing for the appropriate event class:
Event Audited | When Audit Occurs |
---|---|
Access | When a process opens, reads, writes, or executes a file or inquires about its attributes |
Creation | When a process creates a file |
Deaccess | When a process closes a file |
Deletion | When a process deletes a file |
Ordinary file protection mechanisms control who can access a file, but they do not address the problem of protecting old data that remains on disk after a file is deleted.
When a file is deleted, its header is removed from the directory, but its contents remain intact on disk until it is overwritten. Because data exists on a disk, it is necessary to protect deleted or purged file information from disk scavenging.
The OpenVMS operating system solves the problem of disk scavenging with the combination of the two following techniques:
A security administrator or user can apply an erasure pattern to individual files on a volume or to a complete volume. An erasure pattern is a repeated sequence of bits written over a file when the file is deleted or purged.
The security administrator can ensure that every block on a volume starts off with the erasure pattern by specifying the /ERASE qualifier when the volume is initialized, as follows:
INITIALIZE/ERASE device-name[:] volume-label |
If the volume is mounted, the security administrator can automatically apply the erasure pattern to the space occupied by a file when it is deleted by specifying the /ERASE_ON_DELETE qualifier, as follows:
SET VOLUME/ERASE_ON_DELETE device-spec[:] |
Note that this technique has no effect on existing files.
Alternatively, the security administrator may ask users to specify the erasure pattern on a file-by-file basis by using the /ERASE qualifier when entering the DCL commands SET FILE, DELETE, and PURGE.
Security administrators can also write an erase routine by using the
$ERAPAT system service. The routine specifies to the system the erasure
pattern and number of passes to be used to erase disk blocks.
5.4.7.2 Setting a High-water Mark
When the operating system allocates disk blocks for a file, it automatically sets a high-water mark. The high-water mark indicates how far the file has been written in its allotted space on the disk. All blocks in the file up to the high-water mark are guaranteed to have been written since they were allocated to the file. Users are not permitted to read beyond the high-water mark and thus cannot read stale data that they did not actually write.
A more conservative but costly technique is to erase all disk blocks before allocation. The erase-on-allocate technique is used when the file is open allowing any form of shared access or nonsequential access. When blocks are erased on allocation, the file's high-water mark is set to point to the end of the newly allocated and erased space.
By default, high-water marking is enabled when the volume is
initialized. The security administrator can disable high-water marking
for a specific volume by using the DCL command SET
VOLUME/NOHIGHWATER_MARKING.
5.4.7.3 Accessibility of Data in a File
Once the file system allocates disk blocks for a file, users can read or write to them at any time. The high-water mark identifies the physical end of file, beyond which the user cannot read. However, an application can reposition the logical end-of-file mark and leave data in the area between the logical and the physical end of the file. Any block of file data can later be read, regardless of the logical end-of-file mark.
An application largely determines how allocated disk blocks are managed. For example, OpenVMS RMS services shorten a sequential file by resetting the logical end-of-file position to the beginning of the current record. It does not deallocate space between the end-of-file position and the physical end of the file, nor does it overwrite the records between the end-of-file position and the physical end of the file with an erase pattern.
Thus, blocks written to a file can remain available regardless of the
end-of-file mark. If you want to erase the data between the logical end
of the file and the physical end of the file, your application program
must overwrite the data you want deleted. On OpenVMS systems, a common
way to accomplish this is to create a new version of the file using the
DCL command COPY.
5.4.8 Suggestions for Optimizing File Security
Use the following precautions to protect your files and directories:
OpenVMS memory management services allow processes to communicate through shared memory pages called global sections. Using global sections, two or more processes can map the same page into their individual virtual address spaces, thereby sharing the same page of code or data.
A global section can provide access to a disk file (called a file-backed global section), provide access to dynamically created storage (called a page file-backed global section), or provide access to specific physical memory (called a page frame number [PFN] global section). A global section object may be either temporary or permanent.
The operating system supports two types of global section objects:
The name of the object is a string of 1 to 44 characters. For group
global sections, the name is qualified by your UIC group number.
5.5.2 Types of Access
The global section class supports the following types of access:
Previous | Next | Contents | Index |
Copyright © Compaq Computer Corporation 1998. All rights reserved. Legal |
6346PRO_010.HTML
|