Wayback Wed: Doing the Beta patch Samba
No obit for your OS, but not so for hardware

Friday Fine-tune: directories and tombstones

ByetombstoneA 3000 manager wanted to know about adjusting privileges on their server. When the community's veterans started to respond, extra information rose up. Some of was about the management of files in MPE/iX, the kind of legacy recorded on what's known as a tombstone.

Tombstones are data used to solve 3000 problems and establish file access. HP says in its manual for programming in MPE/iX that "It's frequently necessary to obtain status information on a file to determine the cause of an error." A File Information Display is frequently called a tombstone, providing:

  • Actual physical and operational file characteristics.
  • Current file information, pertaining to end of file, record pointer, and logical and physical transfer count. Information on the last error for the file and the last HPFOPEN or FOPEN error.
  • When a file is opened, the final characteristics may be different from those originally requested because of defaults, overrides, :FILE commands, and the file label.

You can use the PRINTFILEINFO intrinsic to print a tombstone. It requires that you specify the file number returned when the file is opened by HPFOPEN or FOPEN. The tombstone can display either a full or short format.  If the file is open, it provides a full display. Otherwise, it provides a short display. Calling this intrinsic does not automatically abort the program.

You can call the PRINTFILEINFO intrinsic from programs written in COBOL II/XL and HP FORTRAN 77/iX. When calling from COBOL II/XL, use the FD filename. You can call the name PRINTFILEINFO directly from HP FORTRAN 77/iX programs. You can obtain the required file number by using the FNUM intrinsic.

Tombstones came up after one list member resurrected an answer about privileges from a 11-year-old post. Ray Shahan, still managing archival systems for Republic Title of Texas, heard his name in discussion about TD and RD privileges and how to control them. He quipped about not being heard from in ages.

"I have been asked by our security group to remove TD and RD privileges from our HP 3000," Reggie Monroe wrote this week. "These are for Reading and Traversing Directories. Does anyone know what the impact of this would be, if any?"

Tracy Johnson replied that "Unless your users have access to Posix files, you can categorically state you don't have any to remove."

There is an old comp.sys.hp.mpe posting where Ray Shahan wants to add TD and RD privileges. Just do the opposite, though that may be a bad thing if applied to MPE groups and accounts treated as directories.

The original TD and RD posting

The advice from the 2005 discussion included using Posix to enable "execute" permissions on all directories needed to get to the directory you want. So the opposite would be to disable those permissions. The ALTSEC command does this.The process will also include adding ACDs to the directory.

Once considered a new feature of MPE/iX, Access Control Definitions are pseudo bits of information on the HP 3000.

ACDs are ordered lists of pairs.The pairs are made up of access permissions and user specifications that control access to objects. Objects are passive entities that contain or receive information, such as files, directories, and devices. Each entry in the ACD specifies object access permissions granted to a specific user or group of users. In addition to being granted access to an object protected by an ACD, users can also be granted access to read the ACD itself.

ACDs can be applied to any MPE/iX files using the ALTSEC command. This command was enhanced to support directories. If a file has an ACD, this method of specifying access to the file takes precedence over other security features, such as lockwords and the file access matrix. ACDs cannot be placed on root, account, group, or directories.

 

Comments