[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference iosg::all-in-1_v30

Title:	OLD ALL-IN-1 (tm) Support Conference
Notice:	Closed - See Note 4331.l to move to IOSG::ALL-IN-1
Moderator:	IOSG::PYE

Created:	Thu Jan 30 1992
Last Modified:	Tue Jan 23 1996
Last Successful Update:	Fri Jun 06 1997
Number of topics:	4343
Total number of notes:	18308

2108.0. "Archiving, Privileges, and write add/change/del" by BERN02::MUELLERS (Stefan A. M�ller DTN 761-4864) Mon Jan 18 1993 17:17

    Hello clever guys!
    
    I no longer understand ALL-IN-1... When I looked at archiving today I
    found something very confusing. After 4 years working with ALL-IN-1 I
    am very frustrated to see that I do not understand the way this product
    works...
    
    Till today I knew that it needs write access to write a record via
    write change to a .DAT file mapped by an entry form. 
    
    The script OA$DO:ARCHIVE_RESTORE_USER_DOCUMENTS.SCP which is performed 
    when an (unprivileged) user enters RAD (Restore archived document)
    executes the command
    
    WRITE ADD ARCHIVE_DOCS_PENDING_RECOVERY ...
    
    to write a request record to OA$DATA:ARCHIVE_DOCS_PENDING_RECOVERY.DAT.
    
    When I have a look at this file it has following security attributes:
    
    
    $ DIR/SEC OA$DATA:ARCHIVE_DOCS_PENDING_RECOVERY.DAT
    
    Directory A1DISK:[ALLIN1.DATA_SHARE]
    
    ARCHIVE_DOCS_PENDING_RECOVERY.DAT;1
                             15  10-AUG-1992 07:45:46.87  [ALLIN1]             
    (RWED,RWED,RE,RE)
              (IDENTIFIER=OA$MANAPP,ACCESS=READ+WRITE+EXECUTE+DELETE)
    
    
    
    Can someone explain me how a user with no privileges and no identifier
    OA$MANAPP gets the right to write to this data set? The only
    explanation I have at the moment is that the write function raises the
    privileges if it is used to add/change/delete a record within a certain 
    data set. But I guess this answer is too easy. 
    
    An other question concerns the security. If an unprivileged user may
    change records in this data set, it may damage a proper working of the
    archive subsystem.
    
    Or am I totaly beside the shoes?
    
    
    Stefan

T.R	Title	User	Personal Name	Date	Lines
2108.1	ALL-IN-1 raises privs to access the file	SCOTTC::MARSHALL	Spitfire Drivers Do It Topless	`Tue Jan 19 1993 00:05`	7
	As you suggest, ALL-IN-1 raises privs to access this data set on behalf of unprivileged users. What actions it takes, if any, to prevent users maliciously (or accidentally) corrupting the file, I don't know. Probably not many. Scott
2108.2	Me too!	IOSG::PYE	Graham - ALL-IN-1 Sorcerer's Apprentice	`Tue Jan 19 1993 09:24`	19
	Re .0 Don't worry about not understanding ALL-IN-1! I have been working on it for over six years and I still have no idea how some of it works... There are several places where the image uses its privileges to access data files. The PROFILE.DAT access is the most common one. Here the PROFIL dataset has a special action routine that carefully validates the calling user and the requested action before raising privs to access the file. To be strictly accurate, its the data action routine rather than the WRITE function, which decides to raise privs. Access to the mail shared areas is another place where privs are raised, again after careful checks. Perhaps the ex-archive developer will give us more details of how this works? Graham
2108.3	Brief lesson on data-sets and privileges	IOSG::SHOVE	Dave Shove -- REO2-G/M6	`Tue Jan 19 1993 12:09`	46
	The way data data-sets (as opposed to text data-sets) work is this: The code searches a built-in list of data-sets for the name (ARCHIVE_DOCS_PENDING_RECOVERY in this case). If it finds a data-set of that name, it uses it. If it doesn't, it uses a default data-set. In either case, it extracts the name of the "action routine" to use from the DSAB it found. In the default DSAB it's OA$RMS_ACTION. For PROFILE, the DSAB looks like: $DSAB(NAME='PROFIL',CLASS=DATA, ACTION=OA$PROFIL_ACTION, CACHE_USE=4, CACHE_OPEN=32, CHOICES=1, PRIV = 1, FILL=%C' ', SIGNAL=1, USER1=0, USER2=0) Here, a special action routine (OA$PROFIL_ACTION) has been specified, which contains the code which allows users only to modify their own record, and even then only certain fields in that record. For ARCHIVE_DOCS_PENDING_RECOVERY, the DSAB looks like: $DSAB (NAME = 'ARCHIVE_DOCS_PENDING_RECOVERY', ACTION = OA$RMS_ACTION, CLASS = DATA, PRIV=1, SIGNAL=0, FILL=%C' ', CHOICES = 1) Here, the action routine is the default one, BUT the DSAB has specified PRIV=1 which tells that action routine to turn on the image's privs before accessing the file. (This also applies to some of the other Archive data-sets). Now, exactly how this works I'll have to leave to the (ex-)archive developer. Dave.
2108.5	Why the ACE for OA$MANAPP?	UTES09::EIJS	Simon Eijs @Utrecht, 7838-2558	`Tue Jan 26 1993 08:34`	14
	Hi Stefan, One thing I'm curious about is that your example of ARCHIVE_DOCS_PENDING_RECOVERY.DAT contains an ACL with an ACE for OA$MANAPP. OA$MANAPP doesn't need access to this file in any other way than a normal user, and the privileges 'built-in' will do their job for someone with OA$MANAPP also. ??? Ciao, Simon
2108.6	Other Problems...	BERN02::MUELLERS	Stefan A. M�ller DTN 761-4864	`Wed Jan 27 1993 09:21`	27
	Hi Simon, On my system which has been upgraded from V2.4 I have two ARCHIVE....DATs: $ dir /sec oa$data:ARCHIVE_DOCS_PENDING_RECOVERY.DAT/nodate Directory A1DISK:[ALLIN1.SITE.DATA_SHARE] ARCHIVE_DOCS_PENDING_RECOVERY.DAT;1 15 [ALLIN1] (RWED,RWED,RE,RE) (IDENTIFIER=OA$MANAPP,ACCESS=READ+WRITE+EXECUTE+DELETE) Total of 1 file, 15 blocks. Directory A1DISK:[ALLIN1.DATA_SHARE] ARCHIVE_DOCS_PENDING_RECOVERY.DAT;11 3 [ALLIN1] (RWED,RWED,RE,RE) Total of 1 file, 3 blocks. This is another problem I have to solve....Maybe someone has the same behaviour on an upgraded system. Stefan
2108.7	The same ACL-s and files	BPSOF::LOVAS	Kati Lovas	`Fri Sep 17 1993 09:32`	36
	Simon, our system shows exactly the same ! Upgraded from 2.4 to 3.0 with K701 patch. The upgrade date is: 11-dec-1992. Look: Directory ALLIN1$DATA:[DATA.SITE.DATA_SHARE] ARCHIVE_DOCS_PENDING_RECOVERY.DAT;1 156 11-DEC-1992 18:46:31.69 OA$MANAPP (RWED,RWED,RE,RE) (IDENTIFIER=OA$MANAPP,ACCESS=READ+WRITE+EXECUTE+DELETE) Total of 1 file, 156 blocks. Directory ALLIN1$DATA:[DATA.DATA_SHARE] ARCHIVE_DOCS_PENDING_RECOVERY.DAT;47 3 9-SEP-1993 01:05:53.05 [DESK,ALLIN1] (RWED,RWED,RWED,RE) ARCHIVE_DOCS_PENDING_RECOVERY.DAT;46 3 2-SEP-1993 01:07:22.94 [DESK,ALLIN1] (RWED,RWED,RWED,RE) Total of 2 files, 6 blocks. Grand total of 2 directories, 3 files, 162 blocks. Strange around dates ??? Kati
2108.8	Er, I think it's a bug!	IOSG::PYE	Graham - ALL-IN-1 Sorcerer's Apprentice	`Fri Sep 17 1993 10:52`	26
	Well this would seem to be a bug in the upgrade... The PostInstall Script ARC_PEND_CONV.SCP copies the existing 310 byte length record file into OA$DATA:V24_ARCHIVE_DOCS_PENDING.DAT, this of course goes to the first part of the OA$DATA search list, i.e. OA$SITE_DATA_SHARE. Then it goes on to do an OA$CNV_CONVERT of this file using the ARCHIVE_DOCS_PENDING_RECOVERY form, which since it too specifies OA$DATA as the file location, makes the converted (now 320 byte length records) file go into OA$SITE_DATA_SHARE too. Since the installation has previously (correctly :-) ) put a default ACL for OA$MANAPP on the OA$SITE_DATA_SHARE directory, the new data files get that ACL too. Bit of course, all of this should still work, since the new version of the file will be found first... So the (tidy-up) workround is to move the newly converted file into OA$DATA_SHARE and get rid of the old version. Of course, if you are runing the reorganise files housekeeping procedure, it specifically references the file with OA$DATA_SHARE, and $CONVERT/FDLs the old file into its new record length.... I'll report this internally! Graham
2108.9	Outstanding problem from .0 .....	IOSG::PYE	Graham - ALL-IN-1 Sorcerer's Apprentice	`Fri Sep 17 1993 11:31`	5
	Of course this still doesn't explain how the file described in .0 got OA$MANAPP on it, since that system had the data file correctly placed in OA$DATA_SHARE... Graham