From: SMTP%"RELAY-INFO-VAX@CRVAX.SRI.COM" 12-APR-1994 08:54:47.49 To: EVERHART CC: Subj: RE: ACLs, Rights Group, and Disk Quota now working together?? Message-Id: <9404070405.AA06104@uu3.psi.com> Date: Thu, 7 Apr 94 00:03:20 EDT From: Jerry Leichter To: INFO-VAX@SRI.COM Subject: RE: ACLs, Rights Group, and Disk Quota now working together?? X-Vms-Mail-To: UUCP%"kannady@pogo.den.mmc.com" Our Sys Admin set us up a Rights Group so that a number of people from different VMS Groups could share some files. The Rights Group has a Disk Quota on a divice that is the home device to some but not all of the members of the Rights Group. We have had some strange happenings when some of use (without a quota on that device) go to create files, sometimes. Some of our executable images will hang. I did a Show Process Continuious on one of them and it was stopped w/ LEF. After that I noticed a related funny (I think) with the Destop VMS (we are running DECwindows). When I would try to open a file w/ Notepad, I would get a message that "File is Read Only". This would happen on files that I had just created w/ the EDT editor. All of our files show to be owned by the Rights Group. I did a Directory/ACL on one of the files & noticed that there were 2 entries: the first was with an Identifier w/ my name, the 2nd was for the Rights Group. On a whim, I deleted the ACL w/ my name. I then opened the file w/ Notepad & sure enought no "File is Read Only" message. Continuing, I added my ACL line back in but made it the 2nd Identifier (the Group was the 1st Identifier). I opened the file w/ Notepad and had sucess. It is as if the System were only looking at the first ACL entry (me) That's exactly what it's *supposed* to do: The first matching ACE determines your access. (This (a) allows you do *deny* access to individuals with one ACE while a subsequent ACE *grants* access to a group that that individual is a member of; (b) more generally, use "early" specific ACE's that over-ride "late" general ACE's.) and determining that I have no Quota on the disk, so Notepad can not open a journal file and thus declares the file to be Read Only. Generally (w/ some exceptions) we have been able to create/delete files that are owned by the Rights Group. Those of use whose Home Device is this device have absolutly no problems what so ever. I thought that I could get around the problem by copying the file w/ the ACL of 1st Group, 2nd Me identifiers and that ACL arrangement would propagate forward. Not so! The ACL order reverted back to 1st Me, 2nd Group. Puzzling. Something is over-riding my specified order. Could it be the order that the Group members was sepcified? or does VMS just always put the Rights Group last? Don't know and no one else does either (can't experiment since not member of System). Without looking more closely, I can't be sure (and you haven't posted the actual ACE's you get from DIRECTORY); but I think what's happening is this: When you create a file that your own UIC does not own, VMS automatically inserts an ACE at the beginning of the ACL granting you CONTROL access (and probably other accesses - I'm not sure). This is done to ensure that you can do *something* with the file. I don't understand exactly what's happening when you copy the file with the reversed ACE's, but it's probably a clash between the automatic mechanism and the explicit ACE's, and the automatic mechanism is winning. As to the details of how all this plays out ... it's impossible to tell from your description, since there are many factors that affect file ownership and the ACL's that get created. Questions: 1) I could solve the problem if I could somehow make the ACL on files comeout w/ the Group identifier 1st and Me (or others in our Rights Group) as the 2nd identifier. How do I do this? 2) An alternative would be that the only ACL identifier to appear on files would be that for the Group (leave off Me or others). How do I do that? I know VMS V6.0 changed the behavior of VMS to avoid creating the CONTROL ACE in many cases where V5 would create it. Presumably this was to avoid the kinds of problems you are describing. 3) Least attractive solution would be to give everyone of the Group a Disk Quota on the device. Although this seems to defeat the original objective. Again, the rules for determining file owner, ACL propogation and defaulting, and quota charging, are complex. You really need to read, carefully and closely (and probably repeatedly) the sections discussing this in the Guide To System Security, and compare it to the setup you've got to see why things are working out the way they are. -- Jerry