From: MERC::"uunet!CRVAX.SRI.COM!RELAY-INFO-VAX" 18-JAN-1993 01:25:00.41 To: INFO-VAX@kl.sri.com CC: Subj: re: Propagating UIC protection to .dir files I'm trying to propagate a default protection to all subdirectories of a users directory that this user creates. I've tried setting a default protection ace on the users sys$login directory as follows: (DEFAULT_PROTECTION,SYSTEM:RWED,O:RWED,G:RE,W:) The protection mask on this users sys$login directory is: (RWE,RWED,RE,) When the user creates a sub-directory, it gets: (RWE,RWE,RE,) (DEFAULT_PROTECTION,S:RWED,O:RWED,G:RE,W:) This is fine for the FILES created, they get the correct mask. But what did I do wrong, or what am I missing. Both the ACL manual and help for default protection state that this ACE is "used to ensure that one type of uic-based protection is propagated throughout a directory tree." I interpreted this to mean the .dir files created under this directory would get the default_protection mask. Those descriptions are a bit too terse. Directory files are treated differ- ently; if you check the Guide to System Security, you can find two sections that describe how the default protection for files is determined. The reason there are two sections is that the rules differ for directories and other files. For directories, both the UIC-based protection and the ACL are copied from the parent directory (except that ACE's marked NOPROPAGATE are not copied). At least that's what this particular manual says; in fact, it's wrong, since VMS actually removes all DELETE protections from the SOGW mask before copying it to a directory file. (This is documented somewhere or another.) As you can see, what you end up with on the subdirectory is exactly what these rules would lead you to expect: The ACL (consisting of a single DEFAULT_ PROTECTION ACE) is copied unchanged, and the SOGW mask is copied with all DELETE access turned off. Unfortunately, there is no way to accomplish what you want. Notes to DEC (someone with software support might want to file an SPR; on the second, a DECUS SIR might be appropriate, if anyone cares enough): 1. The documentation needs a little work. First, the misleading (because oversimplified) statements in the ACL manual and the HELP file need a bit of expansion, probably a reference to the Security book. Then the Security book's elision of reference to the "D" bit hack needs to be corrected. 2. The reason for the "D" bit hack goes back to RSX, and has not been needed since VMS V3 or thereabouts: It is impossible to delete a non-empty directory, regardless of the protection mask, so there is really no longer any need to make the default protection "safe" in this way (as there once was). The default was never changed, mainly for backward compatibi- lity. I doubt anyone really CARES about that particular bit of compatibility, but how about a SYSGEN parameter that lets you set it either way? -- Jerry