ACLS and WebServers... - VMS

This is a discussion on ACLS and WebServers... - VMS ; Well, here is a totally honest question. Just wrote my first serious CGI-BIN program under VMS, and found that I had to do "SET SECURITY/ACL=(IDENT=APACHE$WWW,ACCESS=READ)" or variants thereof so that the program could access various data files. I had to ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 24

Thread: ACLS and WebServers...

  1. ACLS and WebServers...

    Well, here is a totally honest question.

    Just wrote my first serious CGI-BIN program under VMS, and found that I had
    to do
    "SET SECURITY/ACL=(IDENT=APACHE$WWW,ACCESS=READ)" or variants thereof so
    that the
    program could access various data files. I had to grant read access on each
    directory
    starting at the root of the device that the web server CGI program needs
    access to.

    The question is, is there a central facility to manage these settings for
    all the
    files and users in the system, similar perhaps to RACF on a z/OS mainframe?
    For example,
    can I easily produce a list of all the files/directories that the web server
    has access
    permissions to?

    If not, are there good ways and methods to keep track of which files need
    which permissions?
    From a System Admin point of view I mean.

    Thanks
    -Paul



  2. Re: ACLS and WebServers...

    On 08/24/07 23:34, Paul Raulerson wrote:
    > Well, here is a totally honest question.
    >
    > Just wrote my first serious CGI-BIN program under VMS, and found
    > that I had to do "SET
    > SECURITY/ACL=(IDENT=APACHE$WWW,ACCESS=READ)" or variants thereof
    > so that the program could access various data files. I had to
    > grant read access on each directory starting at the root of the
    > device that the web server CGI program needs access to.
    >
    > The question is, is there a central facility to manage these
    > settings for all the files and users in the system, similar
    > perhaps to RACF on a z/OS mainframe? For example, can I easily
    > produce a list of all the files/directories that the web server
    > has access permissions to?


    I don't have the answer, but I *can* say that this is how questions
    are supposed to be asked.

    > If not, are there good ways and methods to keep track of which
    > files need which permissions? From a System Admin point of view I
    > mean.


    --
    Ron Johnson, Jr.
    Jefferson LA USA

    Give a man a fish, and he eats for a day.
    Hit him with a fish, and he goes away for good!

  3. Re: ACLS and WebServers...

    Paul Raulerson wrote:
    > Just wrote my first serious CGI-BIN program under VMS, and found thatIhad to do "SET SECURITY/ACL=(IDENT=APACHE$WWW,ACCESS=READ)" orvariants thereof so that the program could access various data files.I had to grant read access on each directory starting at the root ofthe devicethat the web server CGI program needs access to.


    Another way of doing this (other issues aside) would be to let
    APACHE$WWW be the owner of that directories and files, or at least
    have the files' owner be in the same group as APACHE$WWW.

    > The question is, is there a central facility to manage these settingsfor all the files and users in the system, similar perhaps to RACF ona z/OS mainframe? For example, can I easily produce a list of all thefiles/directories that the web server has access permissions to?


    The decision whether a process has access to a file is a complicated
    one, see e.g. the OpenVMS Guide to System Security,
    http://h71000.www7.hp.com/doc/732FIN...00/39-con.html
    It even requires a flowchart to explain it ;-)

    Answering your question, I don't know of a central management facility.

    > If not, are there good ways and methods to keep track of which filesneed which permissions?
    >
    > From a System Admin point of view I mean.


    Set the permissions right for the top-level directory. All files created
    in the directory will by default take on those permissions. For ACL-based
    security, this involves setting a default ACL on the directory.

    cu,
    Martin
    --
    One OS to rule them all | Martin Vorlaender | OpenVMS rules!
    One OS to find them | work: mv@pdv-systeme.de
    One OS to bring them all | http://www.pdv-systeme.de/users/martinv/
    And in the Darkness bind them.| home: martin.vorlaender@t-online.de

  4. Re: ACLS and WebServers...

    Paul Raulerson wrote:

    > Well, here is a totally honest question.
    >
    > Just wrote my first serious CGI-BIN program under VMS, and found that
    > I had to do
    > "SET SECURITY/ACL=(IDENT=APACHE$WWW,ACCESS=READ)" or variants thereof
    > so that the
    > program could access various data files. I had to grant read access
    > on each directory
    > starting at the root of the device that the web server CGI program
    > needs access to.
    >
    > The question is, is there a central facility to manage these settings
    > for all the
    > files and users in the system, similar perhaps to RACF on a z/OS
    > mainframe? For example,
    > can I easily produce a list of all the files/directories that the web
    > server has access
    > permissions to?
    >
    > If not, are there good ways and methods to keep track of which files
    > need which permissions?
    > From a System Admin point of view I mean.
    >
    > Thanks
    > -Paul


    I might have misunderstood your question but we do this with a command
    file and 'shadow' ACLs. i.e we keep files (sometimes empty, sometimes
    containing explantory text) that have the ACL setup for the
    directory/tree they control. Judicious use of :

    SET FILE /ACL /LIKE=shodow_file.ACL disk:[dir...] etc

    provides a repeatable, traceable method of maintaining/modifying access
    rights.

    Of course, SET FILE is deprecated and SET SECURITY should be used for
    new procedures.

    --
    Cheers - Dave

  5. Re: ACLS and WebServers...

    Paul Raulerson wrote:

    > For example, can I easily produce a list of all
    > the files/directories that the web server has
    > access permissions to?


    There is a tool falled DFU ("Directory and File Utility", if
    I'm not wrong) that comlements the functionality of DIR. It's
    a free tool developed by the VMS developers.

    I seem to remember that DFU can list files selected on
    actual ACL settings.

    And no, fortunaly there is not anything like RACF
    on VMS... :-) :-)

    Jan-Erik.

  6. Re: ACLS and WebServers...

    Paul Raulerson wrote:
    > Well, here is a totally honest question.
    >
    > Just wrote my first serious CGI-BIN program under VMS, and found that I had
    > to do
    > "SET SECURITY/ACL=(IDENT=APACHE$WWW,ACCESS=READ)" or variants thereof so
    > that the
    > program could access various data files. I had to grant read access on each
    > directory
    > starting at the root of the device that the web server CGI program needs
    > access to.
    >
    > The question is, is there a central facility to manage these settings for
    > all the
    > files and users in the system, similar perhaps to RACF on a z/OS mainframe?
    > For example,
    > can I easily produce a list of all the files/directories that the web server
    > has access
    > permissions to?
    >
    > If not, are there good ways and methods to keep track of which files need
    > which permissions?
    > From a System Admin point of view I mean.
    >


    VMSINSTAL sets the initial protection for files that belong to the O/S.
    These permissions SHOULD NOT BE CHANGED. If you do, you will regret
    it later. IF THERE IS A LATER!

    The permissions for other files are normally set by the owner or by the
    system default; see HELP SET PROTECTION /DEFAULT. System wide defaults
    are set by a SYSGEN parameter, I no longer remember which one and I'm
    too lazy to look it up! How restrictive your default permissions are is
    entirely up to you.

    I'd suggest putting most, or all, of the files you want the public to be
    able to see in a directory tree created for the purpose.



  7. Re: ACLS and WebServers...

    In article <009701c7e6d1$3c4bc360$b4e34a20$@com>, "Paul Raulerson" writes:

    > The question is, is there a central facility to manage these settings for
    > all the
    > files and users in the system, similar perhaps to RACF on a z/OS mainframe?


    The central facility to manage setting is the SET SECURITY command in
    the hands of a privileged user. But VMS is more oriented toward use
    of the SET SECURITY command by unprivileged people, like the Webmaster,
    who have control over only certain files.

    VMS is significantly different from RACF (or ACF2 or Top Secret) in that
    there is no way on VMS to set the future protection of a file that does
    not exist. The metadata regarding protection is part of the file header.
    This means one can remove a disk from one VMS system and plug it into
    another VMS system and all the protections will travel with it. Of
    course coordinated SYSUAF (lists of users) are required for this to
    produce any desired effect I can envision.

    > If not, are there good ways and methods to keep track of which files need
    > which permissions?


    That would be in the documentation of the individual product that created
    each file.

    > From a System Admin point of view I mean.


    VMS runs best when this is beyond the interest level of the system
    manager and up to the specialist in the particular product.

  8. Re: ACLS and WebServers...

    On Fri, 24 Aug 2007 21:34:33 -0700, Paul Raulerson
    wrote:

    > Just wrote my first serious CGI-BIN program under VMS, and found that I
    > had
    > to do
    > "SET SECURITY/ACL=(IDENT=APACHE$WWW,ACCESS=READ)" or variants thereof so
    > that the
    > program could access various data files. I had to grant read access on
    > each
    > directory
    > starting at the root of the device that the web server CGI program needs
    > access to.


    As somewhat an aside, using WASD I can view the entire cluster file system
    with
    authenticated login, from a PC very similar to the Explore command on
    Windows, and
    although I haven't tried, it should be possible through the judicious use
    of priveleges
    to tailor the view for individual users.

    --
    PL/I for OpenVMS
    www.kednos.com

  9. Re: ACLS and WebServers...

    Paul Raulerson wrote:
    > "SET SECURITY/ACL=(IDENT=APACHE$WWW,ACCESS=READ)" or variants thereof so
    > that the
    > program could access various data files.


    Remember to also set the directory file and add the same ACL
    "OPTIONS=DEFAULT" to the directory file as well. This causes any newsly
    created files in that directory to inherit that ACL.


    > The question is, is there a central facility to manage these settings for
    > all the files and users in the system, similar perhaps to RACF on a z/OS mainframe?



    The short answer is NO.

    There have been some consultants/outfits in VMS's heydays who had
    software to audit your system and find out every file that every user
    had access to.

    On a mainframe, the file system is much flatter than on VMS. Also
    remember that on MVS, security is an after tought, so the package you
    choose/install to provide security has to provide the management tools
    to manage security. With VMS, security is an integral part of the OS,
    and each user can manage their files without having to go to a
    "security" department and ask them to make certain files accessible to
    other users.

    Also, on VMS, the file security information is stored in the file
    header. It isn't stored in a separate database that is easy to scan. So
    you'd have to scan all files on the system to find out which ones any
    particular user has read and/or write access to.

  10. RE: ACLS and WebServers...



    > -----Original Message-----
    > From: Martin Vorlaender [mailto:mv@pdv-systeme.de]
    > Sent: Saturday, August 25, 2007 12:38 AM
    > To: Info-VAX@Mvb.Saic.Com
    > Subject: Re: ACLS and WebServers...
    >
    > The decision whether a process has access to a file is a complicated
    > one, see e.g. the OpenVMS Guide to System Security,
    > http://h71000.www7.hp.com/doc/732FIN...00/39-con.html
    > It even requires a flowchart to explain it ;-)
    >


    Oh my-- more weekend reading! Thanks Martin. -Paul

    P.S. This sounds like an opportunity for a neat little utility for someone
    who is capable
    of writing it. (Not me!) Sell a few copies then sell it to HP or CA.



  11. RE: ACLS and WebServers...



    > -----Original Message-----
    > From: Tom Linden [mailto:tom@kednos.company]
    > Sent: Saturday, August 25, 2007 8:19 AM
    > To: Info-VAX@Mvb.Saic.Com
    > Subject: Re: ACLS and WebServers...
    >
    > On Fri, 24 Aug 2007 21:34:33 -0700, Paul Raulerson
    >
    > wrote:
    >
    > As somewhat an aside, using WASD I can view the entire cluster file
    > system
    > with
    > authenticated login, from a PC very similar to the Explore command on
    > Windows, and
    > although I haven't tried, it should be possible through the judicious
    > use
    > of priveleges
    > to tailor the view for individual users.
    >


    That's something definitely in the cards. What is WASD exactly? An
    application server that runs on top of
    the SecureWebServer stuff? (i.e. Apache).

    I was planning on making use of the suExec processing for stuff that is user
    specific, but if there is a
    better way, I'm all for it!

    -Paul


    > --
    > PL/I for OpenVMS
    > www.kednos.com



  12. RE: ACLS and WebServers...

    In article <002501c7e72f$e4060f30$ac122d90$@com>, "Paul Raulerson" writes:

    > That's something definitely in the cards. What is WASD exactly?


    WASD is a web server that runs on VMS.

    http://wasd.vsm.com.au/

  13. Re: ACLS and WebServers...

    Paul Raulerson wrote:
    > Martin Vorlaender wrote:
    >> The decision whether a process has access to a file is a complicated
    >> one, see e.g. the OpenVMS Guide to System Security,
    >> http://h71000.www7.hp.com/doc/732FIN...00/39-con.html
    >> It even requires a flowchart to explain it ;-)

    >
    > Oh my-- more weekend reading! Thanks Martin. -Paul
    >
    > P.S. This sounds like an opportunity for a neat little utility for
    > someone who is capable of writing it. (Not me!) Sell a few copies
    > then sell it to HP or CA.


    In fact, when porting some *ix software, I noticed that the C RTL
    routine access() only looks at the protection mask, and doesn't honor
    ACLs. So I had to expand it (not going all the way through the flowchart
    though).

    cu,
    Martin
    --
    One OS to rule them all | Martin Vorlaender | OpenVMS rules!
    One OS to find them | work: mv@pdv-systeme.de
    One OS to bring them all | http://www.pdv-systeme.de/users/martinv/
    And in the Darkness bind them.| home: martin.vorlaender@t-online.de

  14. Re: ACLS and WebServers...

    Paul Raulerson wrote:

    > P.S. This sounds like an opportunity for a neat little
    > utility for someone who is capable of writing it.


    What happend to my former post about DFU ???
    I thought I saw it on the list after posting it...

    http://h71000.www7.hp.com/freeware/freeware70/dfu/


    Regards,
    Jan-Erik.

  15. Re: ACLS and WebServers...

    On Sat, 25 Aug 2007 09:16:45 -0700, Larry Kilgallen
    wrote:

    > In article <002501c7e72f$e4060f30$ac122d90$@com>, "Paul Raulerson"
    > writes:
    >
    >> That's something definitely in the cards. What is WASD exactly?

    >
    > WASD is a web server that runs on VMS.
    >
    > http://wasd.vsm.com.au/


    WASD was specifically written for VMS whereas Apache was ported from a
    UNIX environment.
    Do yourself a favor, if you are going to run a web server, it is WASD


    --
    PL/I for OpenVMS
    www.kednos.com

  16. Re: ACLS and WebServers...

    Martin Vorlaender wrote:
    >
    > In fact, when porting some *ix software, I noticed that the C RTL
    > routine access() only looks at the protection mask, and doesn't honor
    > ACLs. So I had to expand it (not going all the way through the flowchart
    > though).


    When did you look? There is a DECC feature to enable that check. I do
    not know what version it was added in.

    -John
    wb8tyw@qsl.network
    Personal Opinion Only

  17. Re: ACLS and WebServers...

    John E. Malmberg wrote:
    > Martin Vorlaender wrote:
    >> In fact, when porting some *ix software, I noticed that the C RTL
    >> routine access() only looks at the protection mask, and doesn't honor
    >> ACLs.

    >
    > When did you look? There is a DECC feature to enable that check. I do
    > not know what version it was added in.


    I'm pretty sure DECC$ACL_ACCESS_CHECK wasn't in the docs then, at least.
    Thanks for the pointer.

    cu,
    Martin
    --
    One OS to rule them all | Martin Vorlaender | OpenVMS rules!
    One OS to find them | work: mv@pdv-systeme.de
    One OS to bring them all | http://www.pdv-systeme.de/users/martinv/
    And in the Darkness bind them.| home: martin.vorlaender@t-online.de

  18. RE: ACLS and WebServers...



    > -----Original Message-----
    > From: Tom Linden [mailto:tom@kednos.company]
    > Sent: Saturday, August 25, 2007 8:38 PM
    > To: Info-VAX@Mvb.Saic.Com
    > Subject: Re: ACLS and WebServers...
    >
    > On Sat, 25 Aug 2007 09:16:45 -0700, Larry Kilgallen
    > wrote:
    >
    > > In article <002501c7e72f$e4060f30$ac122d90$@com>, "Paul Raulerson"
    > > writes:
    > >
    > >> That's something definitely in the cards. What is WASD exactly?

    > >
    > > WASD is a web server that runs on VMS.
    > >
    > > http://wasd.vsm.com.au/

    >
    > WASD was specifically written for VMS whereas Apache was ported from a
    > UNIX environment.
    > Do yourself a favor, if you are going to run a web server, it is WASD
    >
    >
    > --
    > PL/I for OpenVMS
    > www.kednos.com


    Downloaded and starting to read the documentation on it. Apache is up and
    running so ... to bring
    up and configure WASD means I either need to IPL from another volume, or
    figure out how to *uninstall*
    Apache...

    I'll get it up and give it a try, it looks pretty nice. I like the PASS
    syntax.

    -Paul



  19. (Persona services came out in VMS 6.2) Re: ACLS and WebServers...

    Hi John,

    > When did you look? There is a DECC feature to enable that check.


    Is it a "DEC"C specific and non-portable extension? In which case I'd like
    to ask why you wouldn't choose instead to deploy sys$check_access et al? Is
    "access() for "files" only and doesn't handle access checks to Queues,
    Mailboxes and so on?

    Maybe it's only me, but I just can't help wondering why (in these more
    modern [sys$/t3$]persona_assume times) one wouldn't just have one's processs
    "become" the client before attempting to perform work on their behalf. Just
    let VMS sort out what they can and cannot do; seems eminently sensible to
    me! So you check that FRED has access to an object and hopefully trigger
    whatever auditing/alarms the System Manager has defined, and then you access
    it as SUPER/BIGBOY and do some more dodgy auditing and accounting and quota
    abuse?

    You're probably equally disinterested in the fact that Rdb provides the
    "SQL> Set Session Authorization" syntax so that you can change persona
    within a database attach; but if not, do please ask them why we have to
    supply a Username/Password in the clear rather than a simple persona ID.
    (But then you guys see nothing wrong with running up seperate image(s) for
    each client request, so I'm sure you're equally happy to detach/re-attach to
    the database each time?)

    As far as the OP's question goes, can someone tell me if you still need that
    APACHE$WWW ACE if the WORLD has read access to the files? Not that's it's
    important, but just for curiosity's sake I'm wondering if what is being
    achieved is a regime where every bloke and a dog with a browser can view the
    files but there's just no way we'll let local VMS users see them.

    Cheers Richard Maher

    "John E. Malmberg" wrote in message
    news:CD5Ai.76110$Fc.8267@attbi_s21...
    > Martin Vorlaender wrote:
    > >
    > > In fact, when porting some *ix software, I noticed that the C RTL
    > > routine access() only looks at the protection mask, and doesn't honor
    > > ACLs. So I had to expand it (not going all the way through the flowchart
    > > though).

    >
    > When did you look? There is a DECC feature to enable that check. I do
    > not know what version it was added in.
    >
    > -John
    > wb8tyw@qsl.network
    > Personal Opinion Only




  20. Re: ACLS and WebServers...

    [WASD]

    Paul Raulerson wrote:
    > Downloaded and starting to read the documentation on it. Apache is up
    > and running so ...
    > to bring up and configure WASD means I either need to IPL from another
    > volume, or figure out how to *uninstall* Apache...


    While you can uninstall Apache (via the PRODUCT REMOVE command), both
    webservers provide the possibility to set the port they're listening at.
    If the ports are different, you can run both in parallel.

    cu,
    Martin
    --
    One OS to rule them all | Martin Vorlaender | OpenVMS rules!
    One OS to find them | work: mv@pdv-systeme.de
    One OS to bring them all | http://www.pdv-systeme.de/users/martinv/
    And in the Darkness bind them.| home: martin.vorlaender@t-online.de

+ Reply to Thread
Page 1 of 2 1 2 LastLast