From: CSBVAX::MRGATE!INFO-VAX-RELAY@KL.SRI.COM@SMTP 23-JUN-1988 09:12 To: ARISIA::EVERHART Subj: re: ACL troubles Received: from Venus.YCC.Yale.Edu by KL.SRI.COM with TCP; Fri, 17 Jun 88 09:07:23 PDT Date: Fri, 17 Jun 88 11:36 EST From: "Jerry Leichter (LEICHTER-JERRY@CS.YALE.EDU)" Subject: re: ACL troubles To: Poulin@RADC-MULTICS.ARPA, INFO-VAX@KL.SRI.COM X-VMS-To: IN%"Poulin@RADC-MULTICS.ARPA",INFOVAX I have two users: POULIN w/UIC [EP500,POULIN] and home dir COEE:[POULIN] and ARCHIVE w/UIC [ATARI,ARCHIVE] and home dir COEE:[ARCHIVE] I want to allow POULIN to have complete access to ARCHIVE's directories and files, but I didn't want to use the SET PROT commands because they are rather primitive and wouldn't give me the security I desire. So, I got out the VAX/VMS security manual and went to work. I set the ACL on [000000]ARCHIVE.DIR to (IDENTIFIER=[EP500,POULIN],OPTIONS=DEFAULT, ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL) I set the same ACL on all the files in COEE:[ARCHIVE] (minus the OPTIONS=DEFAULT of course) Doing a DIR/ACL confirmed and verified my settings. The protection on all the files in ARCHIVE's directory,including the directory itself is set to: (RWED,RWED,,). This, too, was confirmed. Everything seemed to be set right to me, so I logged in as POULIN, changed my default to COEE:[ARCHIVE], did a DIR and got a file protection violation error. I retraced my steps and tried again several times, but it still didn't work. You have to give [EP500,POULIN] access to the file [000000]ARCHIVE.DIR. You haven't done that: An OPTIONS=DEFAULT ACE provides a default protection for files created in a directory, but has NO effect on access to the directory itself. Add the ACE: (IDENTIFIER=[EP500,POULIN], ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL) to [000000]ARCHIVE.DIR and things should start working. -- Jerry PS: A LOT of people have been caught by this!