Document revision date: 19 July 1999
[Compaq] [Go to the documentation home page] [How to order documentation] [Help on this site] [How to contact us]
[OpenVMS documentation]

OpenVMS System Manager's Manual


Previous Contents Index

9.4 Getting File Information

Use the DCL command DIRECTORY to retrieve information about disk and magnetic tape files in a directory, using the following format:

DIRECTORY [filespec[,...]] 

When you include certain command qualifiers with the DIRECTORY command, you can retrieve information in addition to a list of the names of the files in the directory. Refer to the OpenVMS DCL Dictionary for a list of qualifiers that you can use with the DIRECTORY command.

The following examples illustrate three cases of retrieving information from the [MALCOLM] directory, which resides on a disk with the logical name DISK$DOCUMENT.

Examples


  1. $ DIRECTORY AVERAGE.*
     
    Directory DISK$DOCUMENT:[MALCOLM]
     
    AVERAGE.EXE;6      AVERAGE.FOR;6      AVERAGE.LIS;4     AVERAGE.OBJ;12
     
    Total of 4 files.  
    

    The DIRECTORY command in this example lists all file types of the AVERAGE file and the version number of each file. The command would also list all versions of these files; however, only one version of each file exists.


  2. $ DIRECTORY/SIZE/DATE/VERSIONS=1/PROTECTION  AVERAGE
     
    Directory DISK$DOCUMENT:[MALCOLM] 
     
    AVERAGE.EXE;6       6        10-APR-1997 15:43 (RWED,RWED,RWED,RE)
    AVERAGE.FOR;6       2         2-APR-1997 10:29 (RWED,RWED,RWED,RE)
    AVERAGE.LIS;4       5         9-APR-1997 16:27 (RWED,RWED,RWED,RE)
    AVERAGE.OBJ;6       2         9-APR-1997 16:27 (RWED,RWED,RWED,RE)
     
    Total of 4 files, 15 blocks.
    

    The DIRECTORY command in this example displays all the file types of the AVERAGE file and the version number of each file. The /SIZE qualifier displays the size of each file in blocks used. The /DATE qualifier displays the creation date of the version of the file that is listed. The VERSIONS=1 qualifier limits the number of versions of the file displayed to one (the most recent) version. The /PROTECTION qualifier displays the file protection for each file.


  3. $ DIRECTORY/FULL/VERSIONS=1 [MALCOLM...]AVERAGE.EXE
      
    Directory DISK$DOCUMENT:[MALCOLM]
      
    AVERAGE.EXE;6                 File ID:  (4098,149,0)
    Size:           36/36         Owner:    [DOCUMENTATION,MALCOLM]
    Created:  27-MAY-1997 12:22:26.30   
    Revised:  27-MAY-1997 12:22:51.35 (2)
    Expires:   <None specified>   
    Backup:    3-JUN-1997 22:03.09
    Effective: <None specified> 
    Recording: <None specified> 
    File organization:  Sequential
    Shelved state:      Online
    File attributes:    Allocation: 36, Extend: 36, Global buffer count: 0
                        No version limit
    Record format:      Variable length, maximum 255 bytes
    Record attributes:  Carriage return carriage control
    Journaling enabled: None
    File protection:    System:RWED, Owner:RWED, Group:RE, World:
    Access Cntrl List:  None
      
    Total of 1 file, 36/36 blocks.
      
    Directory DISK$DOCUMENT:[MALCOLM.TEST]
      
    AVERAGE.EXE;1                 File ID:  (7714,29,0)
    Size:           36/36         Owner:    [DOCUMENTATION,MALCOLM]
    Created:  15-APR-1997 10:12   
    Revised:  15-APR-1997 10:12 (1)
    Expires:   <None specified>   
    Backup:   15-APR-1997 22:41
    Effective: <None specified> 
    Recording: <None specified> 
    File organization:  Sequential
    Shelved state:      Shelved
    File attributes:    Allocation: 36, Extend: 36, Global buffer count: 0
                        No version limit
    Record format:      Variable length, maximum 255 bytes
    Record attributes:  Carriage return carriage control
    Journaling Enabled : None
    File protection:    System:RWED, Owner:RWED, Group:RE, World:
    Access Cntrl List:  None
       
    Total of 1 file, 36/36 blocks.
    Grand total of 2 directories, 2 files, 72/72 blocks.
    

    The DIRECTORY command in this example displays a full directory listing of one version of the AVERAGE.EXE file in the top-level directory [MALCOLM] and subdirectories under it.

9.5 Protecting Files

The following sections discuss file protection concepts and explain how to perform these tasks:
Task Section
Display file ownership and protection Section 9.5.2
Protect disk files Section 9.5.3
Protect disk directories Section 9.5.4
Protect magnetic tape files Section 9.5.5

9.5.1 Understanding File Protection Concepts

You can protect data on disk and magnetic tape media at the following levels:
Level of Protection Description
Device level For information about setting device protection characteristics, see the descriptions of the DCL commands INITIALIZE, MOUNT, SET DEVICES, SET SECURITY/PROTECTION, and SET VOLUME in Chapter 8 and in the OpenVMS DCL Dictionary. Refer to Chapter 7 for additional information about peripheral devices.
Volume level The system provides protection for disk and tape volumes. For more information, see the following sections:
Disk volume protection Section 8.4.1
Tape volume protection Section 8.4.2
File level The system provides protection for disk files and directory files. For more information, see the following sections:
Individual disk files Section 9.5.3
Directory files that reside on disk volumes Section 9.5.4

You can protect data residing on disk and tape volumes by using one or more of the following methods:
Type of Protection For More Information
UIC-based protection codes Chapter 11
Access control lists (ACLs) Chapter 11
ISO 9660-formatted media protection Section 8.4.2
ANSI-standard accessibility protection (magnetic tape only) Section 8.4.2

For the most part, file protection is transparent. Tools exist, however, to adjust the protection of a file. You can set the protection or modify the ACL of a file if at least one of these statements is true:

9.5.2 Displaying File Ownership and Protection

You can display ownership and protection information with the commands and qualifiers shown in Table 9-1.

Table 9-1 DCL Commands to Display Ownership and Protection
Command Use to Display
DIRECTORY/ACL filespec ACL of file
DIRECTORY/OWNER_UIC filespec UIC of owner of file
DIRECTORY/PROTECTION filespec UIC-based protection of file
DIRECTORY/SECURITY All of the above
DIRECTORY/FULL filespec All of the above and other, nonsecurity information
SHOW DEVICES/FULL device-name Device UIC and protection
SHOW PROCESS Process UIC
SHOW PROTECTION Default file protection
SHOW SECURITY All of the above

Directory structures do not apply to tape volumes. However, you can use the DIRECTORY command to search for files on tape volumes. Section 9.7 describes how to access tape files for read and write operations and also explains the use of the DIRECTORY command for tapes.

The DCL command SHOW PROTECTION displays the current process default protection. This protection is applied to files created during your terminal session or to batch jobs, where defaults from directories or previously existing versions are not available.

Note

To use the SHOW PROTECTION command to display the default protection of magnetic tapes, you must specify the /PROTECTION qualifier with the INITIALIZE command when you initialize the magnetic tape volume. Otherwise, the protection is not written to the magnetic tape volume. See the description of initializing magnetic tape volumes in Section 8.3.

The next example illustrates how you can use the SHOW PROTECTION command to display the default protection characteristics for disk files.

Example


$ SHOW PROTECTION
SYSTEM=RWED, OWNER=RWED, GROUP=RE, WORLD=NO ACCESS

In this example, the SHOW PROTECTION command requests a display of the current protection defaults.

9.5.3 Protecting Disk Files

Each file on a disk has its own protection code, which is distinct from the protection that applies to the disk volume itself. Files residing on disk volumes have the access types shown in Table 9-2.

Table 9-2 Access Types with Disk File Protection
Access Type Gives you the right to...
Read Read, print, or copy a disk file. Read access automatically includes execute access to a specified file or group of files on disk.
Write Write to or change the contents of a file, but not delete it. Write access allows modification of the file characteristics that describe the contents of the file.
Execute Execute a file that contains an executable program image or DCL command procedure.
Delete Delete the file. To delete a file, you must have delete access to the file and write access to the directory that contains the file.
Control Change file characteristics, including the protection code and ACL. Special restrictions apply to changing the owner of a file.

If you do not define a protection code for a file when you create it, the system applies default protection. If a version of the file already exists, protection is taken from the previous version.

For a new file, the system determines protection in two major ways:

For disk volumes, each file on the volume can have a different protection associated with it. The SET SECURITY/PROTECTION command and other file-manipulating commands allow you to define the protection for individual files.

Note

To protect a file completely, you must protect both the file itself and the directory that lists the file. To protect a file against unauthorized access, specify the proper protection both for the directory that lists the file and for the file itself. See Section 9.5.4 for instructions on protecting directories.

The following sections explain how to perform these tasks:
Task Section
Set default disk file protection Section 9.5.3.1
Set explicit disk file protection Section 9.5.3.2
Modify disk file protection characteristics Section 9.5.3.3

9.5.3.1 Setting Default Disk File Protection

A new file receives default UIC-based protection and the default access control entries (ACEs), if any, of its parent directory. A new version of an existing file receives the UIC-based protection and ACL of the previous version.

The protection of a renamed file is unchanged unless you use the RENAME/INHERIT command.

How to Change Default UIC Protection

The operating system provides each process with a default UIC-based protection of (S:RWED,O:RWED,G:RE,W). To change the default protection that is applied to files created by that process, enter the SET PROTECTION/DEFAULT command using the following format:

SET PROTECTION[=(code)]/DEFAULT 

where:
code Defines the protection to be applied to the specified files. If you omit the code, the access is set to the current default protection.

For example, if you place the following command in your login command procedure, you grant all processes read and execute access to any files that you subsequently create:


$ SET PROTECTION = (S:RWED,O:RWED,G:RE,W:RE)/DEFAULT 
(Remember that you must execute the login command procedure for this command to take effect.)

9.5.3.2 Setting Explicit Disk File Protection

You can explicitly specify UIC-based protection for a new file with the /PROTECTION qualifier (valid with the BACKUP, COPY, RENAME, and CREATE commands), as shown in the following command line:


$ CREATE MAST12.TXT/PROTECTION=(S:RWED,O:RWED,G,W)

After a file is created and you have created an ACL for the file, you can modify the ACL and add as many ACEs to the ACL as you want. The protection specified by the ACL overrides the UIC protection of the file.

The following examples show how to check and specify protection codes.

Examples


  1. $ SHOW PROTECTION
    SYSTEM=RWED, OWNER=RWED, GROUP=RE, WORLD=NO ACCESS
    

    The SHOW PROTECTION command displays the current default protection. In this example, the response shows the system default protection, which indicates that the system and owner have all types of access, group users have read and execute access, and world users have no access.


  2. $ SHOW SECURITY IMAGES.DIR
    DBA1:[SADAMS]IMAGES.DIR;1 object of class FILE
         Owner: [SAM,SADAMS]
         Protection: (System: RWE, Owner: RWE, Group: RE, World: E)
         Access Control List:
           (IDENTIFIER=[SAM,SADAMS],ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL)
    

    In this example, the SHOW SECURITY command displays the current protection associated with the file IMAGES.DIR.


  3. $ DIRECTORY/SECURITY IMAGES.DIR
     
    Directory DBA1:[SADAMS]
     
    IMAGES.DIR;1         [VMS,SADAMS]          (RWE,RWE,RE,E)
             (IDENTIFIER=[VMS,SADAMS],ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL)
     
    Total of 1 file.
    

    In this example, the /SECURITY qualifier with the DIRECTORY command displays the current protection associated with the IMAGES.DIR file.


  4. $ COPY/PROTECTION=(SYSTEM:RW,OWNER:RWED,GROUP:RW,WORLD) ABC.DAT XYZ.DAT
    

    In this example, the /PROTECTION qualifier specifies a protection code when the ABC.DAT file is copied to XYZ.DAT.


  5. $ SET SECURITY/PROTECTION=(SYSTEM:RWE,OWNER:RWED,GROUP:RE,WORLD) ABC.DAT
    

    In this example, the SET SECURITY/PROTECTION command changes the protection for an existing file. The command gives the following instructions regarding the file ABC.DAT: system users have read, write, and execute access; the owner has read, write, execute, and delete access; group users have only read and execute access; world users have no access.
    Control access is implied and unchangeable for system and owner categories but not for group and world.

9.5.3.3 Modifying Disk File Protection Characteristics

Table 9-3 shows the DCL commands that you can use to establish and modify the protection characteristics of files.

Table 9-3 DCL Commands to Modify File Protection Characteristics
Command Description For More Information
SET DIRECTORY Modifies the characteristics of one or more directories. The directory protection can override the protection of individual files within the directory. See Section 9.5.4.
SET FILE Modifies the characteristics of one or more files, including the version limits on files. See Section 9.5.3.3.2.
SET PROTECTION/DEFAULT Sets the default UIC protection on files. Refer to the OpenVMS Guide to System Security.
SET SECURITY Modifies the security profile of an object. Such a profile contains the following characteristics:
  • An access control list (ACL).
  • A protection code, which defines access to objects based on the categories of system, owner, group, and world.
  • An owner. The system uses the owner characteristic to interpret the protection code.
Refer to the OpenVMS Guide to System Security and the OpenVMS DCL Dictionary.
SET VOLUME Changes the characteristics of one or more mounted Files-11 volumes. The /FILE_PROTECTION qualifier sets the default protection to be applied to all files on the specified disk volume. See Section 8.4.1.2.

For a complete list of the command qualifiers and parameters applicable to each of these DCL commands, refer to the OpenVMS DCL Dictionary.

9.5.3.3.1 Changing File Protection Characteristics

To change or reset the protection characteristics of one or more files, use the following format:

SET SECURITY/PROTECTION = code file-spec[,...] 

where:
code Defines the protection to be applied to the specified files. You cannot omit the code.
file-spec Specifies one or more files for which the protection is to be changed. A file name and file type are required. If you omit a version number, the protection is changed only for the highest existing version of the file. Wildcard characters are allowed.

The following examples show ways to change file protection.

Examples


  1. $ DELETE INCOME.DAT;3
    %DELETE-W-FILNOTDEL, error deleting DISK1:[SMITH]INCOME.DAT;3
    -RMS-E-PRV, insufficient privilege or file protection violation
    $ SET SECURITY/PROTECTION=OWNER:D INCOME.DAT;3
    $ DELETE INCOME.DAT;3
    

    In this example, the file INCOME.DAT;3 is protected against deletion. The SET SECURITY/PROTECTION command changes only the owner's delete access for the file INCOME.DAT;3. Now the owner can delete the file.


  2. $ SET SECURITY/PROTECTION=(SYSTEM:R,OWNER:RWED,GROUP:RW) PAYROLL.LIS
    

    In this example, the SET SECURITY/PROTECTION command changes the protection codes applied to the PAYROLL.LIS file. To the file, the command gives the system read access; the owner has read, write, execute, and delete access; and users in the owner's group have read and write access.


Previous Next Contents Index

  [Go to the documentation home page] [How to order documentation] [Help on this site] [How to contact us]  
  privacy and legal statement  
6017PRO_040.HTML