 |
OpenVMS System Manager's Manual
10.4 Getting File Information
Use the DCL command DIRECTORY to retrieve
information about disk and magnetic tape files in a directory, using
the following format:
DIRECTORY [filespec[,...]]
|
When you include certain command qualifiers with the DIRECTORY command,
you can retrieve information in addition to a list of the names of the
files in the directory. Refer to the OpenVMS DCL Dictionary for a list of
qualifiers that you can use with the DIRECTORY command.
The following examples illustrate three cases of retrieving information
from the [MALCOLM] directory, which resides on a disk with the logical
name DISK$DOCUMENT.
Examples
-
$ DIRECTORY AVERAGE.*
Directory DISK$DOCUMENT:[MALCOLM]
AVERAGE.EXE;6 AVERAGE.FOR;6 AVERAGE.LIS;4 AVERAGE.OBJ;12
Total of 4 files.
|
The DIRECTORY command in this example lists all file types of the
AVERAGE file and the version number of each file. The command would
also list all versions of these files; however, only one version of
each file exists.
-
$ DIRECTORY/SIZE/DATE/VERSIONS=1/PROTECTION AVERAGE
Directory DISK$DOCUMENT:[MALCOLM]
AVERAGE.EXE;6 6 10-APR-2000 15:43 (RWED,RWED,RWED,RE)
AVERAGE.FOR;6 2 2-APR-2000 10:29 (RWED,RWED,RWED,RE)
AVERAGE.LIS;4 5 9-APR-2000 16:27 (RWED,RWED,RWED,RE)
AVERAGE.OBJ;6 2 9-APR-2000 16:27 (RWED,RWED,RWED,RE)
Total of 4 files, 15 blocks.
|
The DIRECTORY command in this example displays all the file types
of the AVERAGE file and the version number of each file. The /SIZE
qualifier displays the size of each file in blocks used. The /DATE
qualifier displays the creation date of the version of the file that is
listed. The VERSIONS=1 qualifier limits the number of versions of the
file displayed to one (the most recent) version. The /PROTECTION
qualifier displays the file protection for each file.
-
$ DIRECTORY/FULL/VERSIONS=1 [MALCOLM...]AVERAGE.EXE
Directory DISK$DOCUMENT:[MALCOLM]
AVERAGE.EXE;6 File ID: (4098,149,0)
Size: 36/36 Owner: [DOCUMENTATION,MALCOLM]
Created: 27-MAY-2000 12:22:26.30
Revised: 27-MAY-2000 12:22:51.35 (2)
Expires: <None specified>
Backup: 3-JUN-2000 22:03.09
Effective: <None specified>
Recording: <None specified>
File organization: Sequential
Shelved state: Online
File attributes: Allocation: 36, Extend: 36, Global buffer count: 0
No version limit
Record format: Variable length, maximum 255 bytes
Record attributes: Carriage return carriage control
Journaling enabled: None
File protection: System:RWED, Owner:RWED, Group:RE, World:
Access Cntrl List: None
Total of 1 file, 36/36 blocks.
Directory DISK$DOCUMENT:[MALCOLM.TEST]
AVERAGE.EXE;1 File ID: (7714,29,0)
Size: 36/36 Owner: [DOCUMENTATION,MALCOLM]
Created: 15-APR-2000 10:12
Revised: 15-APR-2000 10:12 (1)
Expires: <None specified>
Backup: 15-APR-2000 22:41
Effective: <None specified>
Recording: <None specified>
File organization: Sequential
Shelved state: Shelved
File attributes: Allocation: 36, Extend: 36, Global buffer count: 0
No version limit
Record format: Variable length, maximum 255 bytes
Record attributes: Carriage return carriage control
Journaling Enabled : None
File protection: System:RWED, Owner:RWED, Group:RE, World:
Access Cntrl List: None
Total of 1 file, 36/36 blocks.
Grand total of 2 directories, 2 files, 72/72 blocks.
|
The DIRECTORY command in this example displays a full directory
listing of one version of the AVERAGE.EXE file in the top-level
directory [MALCOLM] and subdirectories under it.
10.5 Protecting Files
The following sections discuss file protection concepts and explain how
to perform these tasks:
10.5.1 Understanding File Protection Concepts
You can protect data on disk and magnetic tape media at the following
levels:
| Level of Protection |
Description |
|
Device level
|
For information about setting device protection characteristics, see
the descriptions of the DCL commands INITIALIZE, MOUNT, SET DEVICES,
SET SECURITY/PROTECTION, and SET VOLUME in Chapter 9 and in the
OpenVMS DCL Dictionary. Refer to Chapter 8 for additional information about
peripheral devices.
|
|
Volume level
|
The system provides protection for disk and tape volumes. For more
information, see the following sections:
|
|
File level
|
The system provides protection for disk files and directory files. For
more information, see the following sections:
|
You can protect data residing on disk and tape volumes by using one or
more of the following methods:
| Type of Protection |
For More Information |
|
UIC-based protection codes
|
Chapter 12
|
|
Access control lists (ACLs)
|
Chapter 12
|
|
ISO 9660-formatted media protection
|
Section 9.4.2
|
|
ANSI-standard accessibility protection (magnetic tape only)
|
Section 9.4.2
|
For the most part, file protection is transparent. Tools exist,
however, to adjust the protection of a file. You can set the protection
or modify the ACL of a file if at least one of these statements is true:
- You own the file.
- You have control access to the file.
- You have SYSPRV privilege.
- The group part of your UIC is less than or equal to MAXSYSGROUP.
- You have GRPPRV and you have the same group UIC as the file.
10.5.2 Displaying File Ownership and Protection
You can display ownership and protection information with the commands
and qualifiers shown in Table 10-1.
Table 10-1 DCL Commands to Display Ownership and Protection
| Command |
Use to Display |
|
DIRECTORY/ACL
filespec
|
ACL of file
|
|
DIRECTORY/OWNER_UIC
filespec
|
UIC of owner of file
|
|
DIRECTORY/PROTECTION
filespec
|
UIC-based protection of file
|
|
DIRECTORY/SECURITY
|
All of the above
|
|
DIRECTORY/FULL
filespec
|
All of the above and other, nonsecurity information
|
|
SHOW DEVICES/FULL
device-name
|
Device UIC and protection
|
|
SHOW PROCESS
|
Process UIC
|
|
SHOW PROTECTION
|
Default file protection
|
|
SHOW SECURITY
|
All of the above
|
Directory structures do not apply to tape volumes. However, you can use
the DIRECTORY command to search for files on tape volumes.
Section 10.7 describes how to access tape files for read and write
operations and
also explains the use of the DIRECTORY command for tapes.
The DCL command SHOW PROTECTION displays the current process default
protection. This protection is applied to files created during your
terminal session or to batch jobs, where defaults from directories or
previously existing versions are not available.
Note
To use the SHOW PROTECTION command to display the default protection of
magnetic tapes, you must specify the /PROTECTION qualifier with the
INITIALIZE command when you initialize the magnetic tape volume.
Otherwise, the protection is not written to the magnetic tape volume.
See the description of initializing magnetic tape volumes in
Section 9.3.
|
The next example illustrates how you can use the SHOW PROTECTION
command to display the default protection characteristics for disk
files.
Example
$ SHOW PROTECTION
SYSTEM=RWED, OWNER=RWED, GROUP=RE, WORLD=NO ACCESS
|
In this example, the SHOW PROTECTION command requests a display of the
current protection defaults.
10.5.3 Protecting Disk Files
Each file on a disk has its own protection code, which is distinct from
the protection that applies to the disk volume itself. Files residing
on disk volumes have the access types shown in Table 10-2.
Table 10-2 Access Types with Disk File Protection
| Access Type |
Gives you the right to... |
|
Read
|
Read, print, or copy a disk file. Read access automatically includes
execute access to a specified file or group of files on disk.
|
|
Write
|
Write to or change the contents of a file, but not delete it. Write
access allows modification of the file characteristics that describe
the contents of the file.
|
|
Execute
|
Execute a file that contains an executable program image or DCL command
procedure.
|
|
Delete
|
Delete the file. To delete a file, you
must have delete access to the file and write access to the directory
that contains the file.
|
|
Control
|
Change file characteristics, including
the protection code and ACL. Special restrictions apply to changing the
owner of a file.
|
If you do not define a protection code for a file when you create it,
the system applies default protection. If a version of the file already
exists, protection is taken from the previous version.
For a new file, the system determines protection in two major ways:
- If the directory where the file is to be cataloged has an
associated access control entry (ACE) that specifies the default
protection, the system uses the specified protection.
- If the directory does not have the default protection ACE, the
system uses the default process protection. You establish the default
process protection explicitly with the SET PROTECTION/DEFAULT command,
or by default when you log in.
For disk volumes, each file on the volume can have a different
protection associated with it. The SET SECURITY/PROTECTION command and
other file-manipulating commands allow you to define the protection for
individual files.
Note
To protect a file completely, you must protect both the file itself and
the directory that lists the file. To protect a file against
unauthorized access, specify the proper protection both for the
directory that lists the file and for the file itself. See
Section 10.5.4 for instructions on protecting directories.
|
The following sections explain how to perform these tasks:
10.5.3.1 Setting Default Disk File Protection
A new file receives default UIC-based protection and the default access
control entries (ACEs), if any, of its parent directory. A new version
of an existing file receives the UIC-based protection and ACL of the
previous version.
The protection of a renamed file is unchanged unless you use the
RENAME/INHERIT command.
How to Change Default UIC Protection
The operating system provides each process with a default UIC-based
protection of (S:RWED,O:RWED,G:RE,W). To change the default protection
that is applied to files created by that process, enter the SET
PROTECTION/DEFAULT command using the following format:
SET PROTECTION[=(code)]/DEFAULT
|
where:
|
code
|
Defines the protection to be applied to the specified files. If you
omit the code, the access is set to the current default protection.
|
For example, if you place the following command in your login command
procedure, you grant all processes read and execute access to any files
that you subsequently create:
$ SET PROTECTION = (S:RWED,O:RWED,G:RE,W:RE)/DEFAULT
|
(Remember that you must execute the login command procedure for this
command to take effect.)
10.5.3.2 Setting Explicit Disk File Protection
You can explicitly specify UIC-based protection for a new file with the
/PROTECTION qualifier (valid with the BACKUP, COPY, RENAME, and CREATE
commands), as shown in the following command line:
$ CREATE MAST12.TXT/PROTECTION=(S:RWED,O:RWED,G,W)
|
After a file is created and you have created an ACL for the file, you
can modify the ACL and add as many ACEs to the ACL as you want. The
protection specified by the ACL overrides the UIC protection of the
file.
The following examples show how to check and specify protection codes.
Examples
-
$ SHOW PROTECTION
SYSTEM=RWED, OWNER=RWED, GROUP=RE, WORLD=NO ACCESS
|
The SHOW PROTECTION command displays the current default protection.
In this example, the response shows the system default protection,
which indicates that the system and owner have all types of access,
group users have read and execute access, and world users have no
access.
-
$ SHOW SECURITY IMAGES.DIR
DBA1:[SADAMS]IMAGES.DIR;1 object of class FILE
Owner: [SAM,SADAMS]
Protection: (System: RWE, Owner: RWE, Group: RE, World: E)
Access Control List:
(IDENTIFIER=[SAM,SADAMS],ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL)
|
In this example, the SHOW SECURITY command displays the current
protection associated with the file IMAGES.DIR.
-
$ DIRECTORY/SECURITY IMAGES.DIR
Directory DBA1:[SADAMS]
IMAGES.DIR;1 [VMS,SADAMS] (RWE,RWE,RE,E)
(IDENTIFIER=[VMS,SADAMS],ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL)
Total of 1 file.
|
In this example, the /SECURITY qualifier with the DIRECTORY command
displays the current protection associated with the IMAGES.DIR file.
-
$ COPY/PROTECTION=(SYSTEM:RW,OWNER:RWED,GROUP:RW,WORLD) ABC.DAT XYZ.DAT
|
In this example, the /PROTECTION qualifier specifies a protection
code when the ABC.DAT file is copied to XYZ.DAT.
-
$ SET SECURITY/PROTECTION=(SYSTEM:RWE,OWNER:RWED,GROUP:RE,WORLD) ABC.DAT
|
In this example, the SET SECURITY/PROTECTION command changes the
protection for an existing file. The command gives the following
instructions regarding the file ABC.DAT: system users have read, write,
and execute access; the owner has read, write, execute, and delete
access; group users have only read and execute access; world users have
no access.
Control access is implied and unchangeable for system
and owner categories but not for group and world.
10.5.3.3 Modifying Disk File Protection Characteristics
Table 10-3 shows the DCL commands that you can use to establish and
modify the protection characteristics of files.
Table 10-3 DCL Commands to Modify File Protection Characteristics
| Command |
Description |
For More Information |
|
SET DIRECTORY
|
Modifies the characteristics of one or more directories. The directory
protection can override the protection of individual files within the
directory.
|
See Section 10.5.4.
|
|
SET FILE
|
Modifies the characteristics of one or more files, including the
version limits on files.
|
See Section 10.5.3.3.2.
|
|
SET PROTECTION/DEFAULT
|
Sets the default UIC protection on files.
|
Refer to the OpenVMS Guide to System Security.
|
|
SET SECURITY
|
Modifies the security profile of an object. Such a profile contains the
following characteristics:
- An access control list (ACL).
- A protection code, which defines access to objects based on the
categories of system, owner, group, and world.
- An owner. The system uses the owner characteristic to interpret the
protection code.
|
Refer to the OpenVMS Guide to System Security and the OpenVMS DCL Dictionary.
|
|
SET VOLUME
|
Changes the characteristics of one or more mounted Files-11 volumes.
The /FILE_PROTECTION qualifier sets the default protection to be
applied to all files on the specified disk volume.
|
See Section 9.4.1.2.
|
For a complete list of the command qualifiers and parameters applicable
to each of these DCL commands, refer to the OpenVMS DCL Dictionary.
10.5.3.3.1 Changing File Protection Characteristics
To change or reset the protection characteristics of one or more files,
use the following format:
SET SECURITY/PROTECTION = code file-spec[,...]
|
where:
|
code
|
Defines the protection to be applied to the specified files. You cannot
omit the code.
|
|
file-spec
|
Specifies one or more files for which the protection is to be changed.
A file name and file type are required. If you omit a version number,
the protection is changed only for the highest existing version of the
file. Wildcard characters are allowed.
|
The following examples show ways to change file protection.
Examples
-
$ DELETE INCOME.DAT;3
%DELETE-W-FILNOTDEL, error deleting DISK1:[SMITH]INCOME.DAT;3
-RMS-E-PRV, insufficient privilege or file protection violation
$ SET SECURITY/PROTECTION=OWNER:D INCOME.DAT;3
$ DELETE INCOME.DAT;3
|
In this example, the file INCOME.DAT;3 is protected against
deletion. The SET SECURITY/PROTECTION command changes only the owner's
delete access for the file INCOME.DAT;3. Now the owner can delete the
file.
-
$ SET SECURITY/PROTECTION=(SYSTEM:R,OWNER:RWED,GROUP:RW) PAYROLL.LIS
|
In this example, the SET SECURITY/PROTECTION command changes the
protection codes
applied to the PAYROLL.LIS file. To the file, the command gives the
system read access; the owner has read, write, execute, and delete
access; and users in the owner's group have read and write access.
|
