Locking the Barn Door - Part V
The challenge: Tighten security across production and development modules, while doing everything possible to not cause a problem.
Last time we talked about securing your application directories. This time we'll show you how to set the rest, especially your system directory.
The VOS system directory is a complex structure, and isn't secured with in a single step. It should be generally scanable by everyone, but modifiable by only SysAdmins. The exceptions:
>system>configuration -- should have null access for everyone except SysAdmins, since it can contain unencrypted user names
>system>batch -- should have modify/write or execute access so that users can use the queues contained within
- certain other subdirs may contain log or other writeable areas and must be secured appropriately.
Here's a suggested macro for securing the VOS system directory.
set_system_access
&begin_parameters path Path:pathname,required &end_parameters &echo command_lines &display_line ------------------------------------------------ &display_line Setting access for system &path& &display_line ------------------------------------------------ !remove_default_access &path& -all !remove_access &path& -all !give_access modify &path& -user *.SysAdmin !give_default_access write &path& -user *.SysAdmin !give_access modify &path& -user *.Stratus !give_default_access write &path& -user *.Stratus !give_access modify &path& -user *.System !give_default_access write &path& -user *.System !give_access status &path& -user *.* !give_default_access read &path& -user *.* !propagate_access &path& & &if ^ (exists &path&>rje_log -directory -no_chase) &then &goto NO_RJE_LOGS !give_access modify &path&>rje_log -user *.rje_oper !give_default_access write &path&>rje_log -user *.rje_oper &label NO_RJE_LOGS & &if ^ (exists &path&>configuration -directory -no_chase) &then &goto NO_CFG &set_string apath &path&>configuration !give_default_access null &apath& -user *.* &label NO_CFG & &if (exists &path&>notices*) &then !give_access write &path&>notices* -user *.* &if (exists &path&>queues>batch -directory -no_chase) &then !give_default_access write &path&>queues>batch -user *.* &if (exists &path&>queues>print -directory -no_chase) &then !give_default_access write &path&>queues>print -user *.* &if (exists &path&>queues>rje -directory -no_chase) &then !give_default_access write &path&>queues>rje -user *.* &if (exists &path&>site_call_system -directory -no_chase) &then !give_default_access write &path&>site_call_system -user *.* &if (exists &path&>site_call_system -directory -no_chase) &then !give_access modify &path&>site_call_system -user *.* &return
Other directories can be secured by either the set_open_access macro (in Part III of this series), or by a customized version of the application macro. For most purposes, the set_open_access macro is also fine for the >process_dir and the >Overseer directories.
The macro below is used for setting home_dir access for a Group. Is assumes that, for a particular Group home_dir structure, directory names starting with a upper-case letter (i.e. ABCD...) are personal directories belonging to the person whose name is on the directory and are secured to that person, and that directory names starting with a lower-case letter (i.e. abcd...) are to be shared within the group.
set_group_access.cm
&begin_parameters path Path:pathname,required &end_parameters & ********************************************************** & set_group_access.cm & ********************************************************** &echo command_lines &set_string cm_name set_GROUP & &label NO_SUBDIRS &if (exists &path&>* -directory) ^= 0 &then &goto START &display_line ------------------------------------------------ &display_line No directories in &path& &display_line ------------------------------------------------ &echo no_command_lines !display_line (unquote (quote &cm_name&: No directories in &path&)) -direct &return & &label START &display_line ------------------------------------------------ &display_line Setting group access for &path& &display_line ------------------------------------------------ & &set_string GROUP (object_name &path&) &set_string TEMP (process_dir)>(unique_string) &echo no_command_lines !display_line &+ (unquote (quote &cm_name&: Setting group access for &path&)) -direct !set_ready -format off !attach_default_output &TEMP& list &path&>* -dirs -names_only !detach_default_output !set_ready -format long & &echo command_lines &set CNT 0 & &label LOOP &set CNT (calc &CNT& + 1) &set_string DIR (contents &TEMP& &CNT& -hold) &if (end_of_file &TEMP&) &then &goto DONE &if (length &DIR&) < 4 &then &goto LOOP &if (search ABCDEFGHIJKLMNOPQRSTUVWXYZ (substr &DIR& 1 1)) = 0 &then &goto SHARED & !set_personal_access &path&>&DIR& &goto LOOP & &label SHARED !give_access modify &path&>&DIR& -user *.&GROUP& !give_default_access write &path&>&DIR& -user *.&GROUP& &goto LOOP & &label DONE &return
set_personal_access
&begin_parameters path Path:pathname,required &end_parameters &echo command_lines &display_line ------------------------------------------------ &display_line Setting personal access for &path& &display_line ------------------------------------------------ & &set_string WHO (object_name &path&) give_access modify &path& -user &WHO&.* give_default_access write &path& -user &WHO&.* !give_access status &path& -user *.* !give_default_access read &path& -user *.* !propagate_access &path& & &return
| 
