Previous | Contents | Index |
You can change the properties of an existing share using the MODIFY SHARE command. You can change the following share properties:
To change the properties of a shared directory, you must be logged on as a member of the Administrators or Server Operators group.
To modify directory permissions for a group or user:
Use the MODIFY SHARE/PERMISSIONS command. For example, to add permissions on an existing directory share called GREATOZ and to grant READ access to the user SCARECROW, enter the following command:
LANDOFOZ\\TINMAN> MODIFY SHARE GREATOZ/PERMISSIONS=(SCARECROW=READ) %PWRK-S-SHAREMOD, share "GREATOZ" modified on server "TINMAN" LANDOFOZ\\TINMAN> |
Users and groups can be granted or denied access to specific files and subdirectories in a shared directory. A user denied access to a file or directory, either individually or as a member of a group, can connect to the share but cannot perform any operations with the files and directories in the share. You can grant specific unique access permissions for files and directories in shares that users can access. Once a user connects to the resource, the file and directory access permissions control the operations that the user can perform. For information about specifying share permissions, see Section 4.3.2.2, Planning Share Permissions.
You can enable users to set access permissions on their own files and
directories. These users can then control whether other users can read,
write, or modify files in that directory. To enable users to set access
permissions, give them full control using the SET FILE command.
4.3.5.1 File and Directory Access Permissions
Table 4-7, Directory Access Permissions and Actions on Directories, lists the types of access users can have and the permissions to set on directories.
User can... | NONE | LIST | READ | ADD | ADD AND READ | CHANGE | FULL CONTROL |
---|---|---|---|---|---|---|---|
Display directory file names | X | X | X | X | X | ||
Display directory attributes | X | X | X | X | X | X | |
Go to directory subdirectories | X | X | X | X | X | X | |
Change directory attributes | X | X | X | X | |||
Create subdirectories and all files | X | X | X | X | |||
Display directory owner and permissions | X | X | X | X | X | X | |
Delete the directory | X | X | |||||
Delete any file or empty subdirectory in a directory | X | ||||||
Change directory permissions | X | ||||||
Take ownership of the directory | X |
Table 4-8, Directory Access Permissions and Actions on Files, lists the types of access users can have to files and the permissions to set on directories.
User can... | NONE | LIST | READ | ADD | ADD AND READ | CHANGE | FULL CONTROL |
---|---|---|---|---|---|---|---|
Display file owner and permissions | X | X | X | X | |||
Display file data | X | X | X | X | |||
Display file attributes | X | X | X | X | |||
Run a program file | X | X | X | X | |||
Change file attributes | X | X | |||||
Change data in and append data to the file | X | X | |||||
Delete the file | X | X | |||||
Change the file permissions | X | ||||||
Take ownership of the directory | X |
By default, anyone with a valid network user name and password can log on to a server and connect to a share on that server. However, a user must have the requisite permissions to access the directories and files in the share. You use the SET FILE/PERMISSIONS command to set permissions on a shared directory. You may need to change access permissions if users cannot access the directories or files they need, or if unauthorized users can access them. A file or directory that does not have explicit permissions inherits the permissions set on its parent directory.
Permissions for disk resources are stored on the disk with each
resource as an OpenVMS Access Control List (ACL). Thus, resource
permissions are backed up by the OpenVMS BACKUP utility.
4.3.5.3 Inheriting Permissions
As you create subdirectories and files in shared directories that have
existing permissions, those permissions are automatically propagated to
the new subdirectories and files. However, if you decide to share a
directory that contains existing subdirectories and files, the
permissions you assign to the new share are not propagated to its
subdirectories and files. You can either explicitly set permissions for
each subdirectory and file, or you allow permissions to be propagated
to the existing subdirectories and files.
4.3.6 Specifying File and Directory Access Permissions
When sharing a directory on a server, you specify the name of the groups and users who can access the share, its subdirectories, and its files, and the permissions each group or user has for the share. After the share has been created, you can modify the permissions on the files and directories in the share.
To set file and directory access permissions:
Use the SET FILE/PERMISSIONS command.
For example, the following command specifies the access permissions for all files with the .C extension in the directory CURTAIN in share GREATOZ:
LANDOFOZ\\TINMAN> SET FILE GREATOZ\CURTAIN\*.C - _LANDOFOZ\\TINMAN> MUNCHKINS/PERMISSIONS=READ - _LANDOFOZ\\TINMAN> SCARECROW/PERMISSIONS=FULL_CONTROL %PWRK-S-FILEMOD, "GREATOZ\CURTAIN\FILE1.C" modified on server "TINMAN" %PWRK-S-FILESMODIFIED, total of 1 file modified LANDOFOZ\\TINMAN> |
As a result, the following permissions are set:
To display directory and file permissions, use the SHOW FILES/FULL command, specifying a share name and its path. For example, with a share called RAINBOW and a file called LOGS.TXT, you can display permissions and ownership as follows:
LANDOFOZ\\TINMAN> SHOW FILES RAINBOW\LOG.TXT /FULL Files in: \\TINMAN\RAINBOW LOGS.TXT Permissions: Administrators Full (All) Everyone Change (RWXD) Server Operators Change (RWXD) SYSTEM Full (All) Audit Events: (None specified) Owner: LION Total of 1 file LANDOFOZ\\TINMAN> |
If the Advanced Server and OpenVMS security model is enabled, and a
network user attempts to access a file or directory, the access must be
allowed by two security checks: network permissions, and OpenVMS file
and directory protections.
4.3.8.1 OpenVMS Protections
Every file on an OpenVMS system has four protection codes:
To set OpenVMS system file protections, use the OpenVMS command SET PROTECTION.
When a network user attempts to access a file, the following rules determine the way that OpenVMS system protections control the access:
When you assign permissions for a resource, you can also audit use of the resource. The Advanced Server can write an entry to the Security event log whenever a user accesses the resource in a certain way. The audit entry shows the resource, action performed, user who performed it, and date and time of the event.
Events that Advanced Server can audit for directory and file access include:
For more information about auditing and viewing events, see
Chapter 6, Monitoring Events and Troubleshooting.
4.3.10 Taking Ownership of Files or Directories
When you create a file or directory, you become its owner. By granting permissions, the owner controls how the file or directory is used. The owner can grant permission to another user to take ownership of a file or directory. Otherwise, you must be logged on as a member of the Administrators group to take ownership. Although an administrator can take ownership, an administrator cannot transfer ownership to others. This preserves security. To make sure that your files are secure, you should check their ownership regularly using the SHOW FILES/OWNER command.
To authorize a user to take ownership of a file or directory:
Use the SET FILE/PERMISSIONS command. You can specify permission to take ownership of a file or a directory using the following commands:
For example, to authorize the user SCARECROW to take ownership of a file called SIMIANS.DAT that is stored on domain LANDOFOZ in the directory \WITCH\MKEY, enter the following command:
LANDOFOZ\\TINMAN> SET FILE WITCH\MKEY\SIMIANS.DAT - _LANDOFOZ\\TINMAN>SCARECROW/PERMISSIONS=FILE_SPECIFIC=TAKE_OWNERSHIP %PWRK-S-FILEMOD, "\\TINMAN\WITCH\MKEY\SIMIANS.DAT" modified |
To take ownership of a file or directory:
Use the TAKE FILE OWNERSHIP command as follows:
TAKE FILE OWNERSHIP UNCpath [/qualifiers]) |
For example, the following command takes ownership of the file called SIMIANS.DAT that is stored on domain LANDOFOZ in the directory \WITCH\MKEY.
LANDOFOZ\\TINMAN> TAKE FILE OWNERSHIP WITCH\MKEY\SIMIANS.DAT %PWRK-S-FILEMOD, "\\TINMAN\WITCH\MKEY\SIMIANS.DAT" modified LANDOFOZ\\TINMAN> |
You can manage shares on the Advanced Server using a Windows NT Server. When the Windows NT Server performs server administration, the Windows NT server administration tool Server Manager attempts to verify the share path locally before passing the server operation request to the Advanced Server. Any share path that does not conform to the device:\directory convention, where device: is a single letter drive letter, fails the share path verification. Therefore, you cannot manage this type of Advanced Server share from the Windows NT Server Manager.
The following sections describe ways to manage an Advanced Server share
from the Windows NT Server.
4.3.11.1 Adding a Share from a Windows NT Server
To add an Advanced Server share using a Windows NT Server, use one of the following procedures:
Key: SYSTEM\CurrentControlSet\Services\AdvancedServer\ShareParameters Value: Autoshare= DUA1=D |
d:\share1 |
C:\DUA\SHARE1 |
C:\SHARE1 |
To display and modify the OpenVMS share from a Windows NT Server, use the following share path:
C:\vmsdevicename\directorypath |
For example, if you add a share using the ADMINISTER command ADD SHARE, and you specify $1$DUA2:[SHARE.LEVEL2] as the share path for share LEVEL2, when you display this share from the Windows NT Server Manager, the share path is displayed in the following format:
C:\$1$DUA2\SHARE\LEVEL2 |
With OpenVMS Version 7.2 and higher, you can use the Extended File Specification feature to offer file system services that are compatible with Windows 95, Windows 98, and Windows NT file systems. To take advantage of the capabilities of Extended File Specifications, be sure to complete the following steps:
To simplify share access, you may want to to set up all shared disk
volumes as ODS-5 disk volumes.
4.4.1 Requirements for Using Extended File Specifications
To take advantage of Extended File Specifications, observe the following requirements:
$ SET PROCESS/PARSE_STYLE=EXTENDED |
8-bit multinational ISO Latin-1 |
Depending on the type of client computer, file naming conventions on
ODS-5 disk volumes differ from those on ODS-2 disk volumes as described
in the Section 4.4.3.5, Storing Files on ODS-5 Disk Volumes.
4.4.2 Advanced Server File Naming
File naming conventions for files stored on the Advanced Server depend on whether the disk volume used for storing files is an ODS-2 disk volume or an ODS-5 disk volume.
The Advanced Server uses the file naming conventions shown in Table 4-9, Advanced Server File-Naming Conventions. For each aspect of file names, the table shows the conventions supported by each type of OpenVMS file system.
Convention | Supported on ODS-2 | Supported on ODS-5 |
---|---|---|
File name length | Up to 77 characters, including the extension. Separate the extension from the name by using a period. | Up to 236 characters, plus a period separating the file name from the file extension, and including the OpenVMS version number. |
File names can contain any alphanumeric characters and special
characters except for:
? " / \ < > * | : Any OpenVMS system file or directory name that contains excluded characters is neither visible nor accessible. |
Yes | Yes |
On-disk character support | Characters that are not alphanumeric characters are stored with escape encoding. For more information, see Section 4.4.3.4, Specifying File Names in ADMINISTER Commands. | All supported characters are stored without encoding. |
Upper and lowercase characters are allowed | Yes; however, file names are stored in all uppercase. | Yes: file names are stored in mixed case; however, file name comparisons are not case sensitive. |
Previous | Next | Contents | Index |