Chapter 5 - Using Attributes for Security
This chapter discusses how to configure file attributes to control access to files and directories VINES file services. For information about managing file attributes on StreetTalk for Windows NT file services, refer to Managing StreetTalk for Windows NT Services.
Overview of the SETATTR Program
In the Macintosh and DOS (FAT) file systems, you can assign values to attributes of files. Attributes indicate specific conditions. For example, if a DOS user can open a file but cannot make any changes to it, it is likely that the DOS Read Only attribute for that file is on.
The SETATTR program, with both command-line and menu-driven interfaces, can help you manage attributes from a central point. You can use this command to set attributes on directories and files stored on VINES network file volumes. In addition, you can use it to set DOS attributes on files stored on a local drive. Note that you must have Write access (VINES view) or Make Changes access (Macintosh view) to the parent directory to use the SETATTR program.
Using Attributes to Control Access
The DOS and Macintosh file systems provide attributes for files as a way to manage them and to control access to them. Previous releases of VINES software provided additional attributes for files, namely the Sharing and Execute attributes.
The new VINES File System (VFS) supports DOS, Macintosh, and the original VINES attributes for files. Where appropriate, VFS extends that support to directories. To do this, VFS maintains a composite set of attributes for each directory and file. Because attributes of different file systems differ in meaning, the composite set breaks the attributes of these two file systems into component parts.
For example, the DOS Read Only attribute corresponds to two separate attributes in the VFS composite set - Read Only and No Delete; the Macintosh Locked attribute corresponds to three: Read Only, No Delete, and No Rename.
Table 5-1, Table 5-2, and Table 5-3 define the attributes for directories and files under the VINES, DOS, and Macintosh file systems. The directory attributes are a subset of the file attributes. Note that attributes such as Read Only, Hidden, and System can allow broad access or prevent access to directories and files. The Archive attribute can be used as a signal to an automatic, incremental backup program that a file needs to be backed up.
Use attributes in conjunction with the access rights lists to manage directories and files and to control access to them. The SETATTR program lets you manage these attributes in two ways: from the DOS command line, or from the program's menu-driven user interface. The two methods of using SETATTR provide slightly different functions. The sections following Tables 5-1 through 5-3 explain these differences.
Note: You must have Write access (VINES view) or Make Changes access (Macintosh view) to the parent directory of a file or subdirectory to be able to set the attributes on that file or subdirectory.
Caution: If the Sharing attribute is ON for a parent directory, any new file will inherit the ON setting. It is not recommended that you set this attribute to ON because an application may assume that DOS open mode restrictions are being obeyed. See the next section of this chapter, "VINES Attributes," for more information on using the Sharing and Execute Only attributes.
This section provides detailed information about the two VINES attributes: Sharing and Execute Only.
Sharing Attribute
The Sharing attribute was for files created from DOS 3.x or earlier and is no longer supported.
Read the documentation for each application thoroughly, and confer with support personnel for the application before taking any action regarding the Sharing Attribute.
If you use the VCOPY command to copy a file that had the Sharing attribute set, the new file retains all the attributes of the original file regardless of the Sharing attribute setting of the parent directories. If you use any other copy or create operation, the Sharing attribute of the new file is set to OFF.
Use the DOS ATTRIB command or the VINES SETATTR program to mark a file for Read Only access. Read Only access prevents many sharing violations caused when programs read their executable, overlay, and configuration files.
You can also use the SETATTR program to change the sharing attribute for all types of files, taking into account the single-user or multi-user nature of programs and the version of DOS running.
Execute Only Attribute
The Execute Only attribute is no longer supported. It was for DOS 3.x and earlier.
Using SETATTR from the System Prompt
From the DOS command line, use SETATTR to view and change the status of attributes. When you want to view the status, you can request the status of multiple files or directories. Whether you request the status of attributes for one file or for ten files, the command line version of SETATTR displays only those attributes that are ON.
When you want to change attribute settings at the DOS command line, you can specify multiple attributes and multiple files and/or directories. All specified settings apply to all specified files and/or directories. Any changes you make are stored in the VFS composite set of attributes.
If the Sharing attribute for a directory is changed, the change does not affect new files created in that directory because new files are created with the Sharing attribute set to OFF unless the new file is created with VCOPY; a file created with VCOPY retains the attributes of the source file.
If the Execute Only attribute is set to ON for a directory, only the files currently in that directory acquire that attribute. Neither the directory nor its subdirectories are affected. The Execute Only attribute of any files subsequently created in that directory are OFF by default. Files copied to the directory retain the execution attribute that they had in their source directory.
The syntax of the SETATTR command allows you to change and display attributes of files and directories at the DOS command line:
SETATTR [+ or - attribute] [DOS pathnames] [/SHOW] [/HELP]
where [+ or - attribute] lets you turn an attribute ON (+) or OFF (-). When changing the status of an attribute, use the two-character abbreviation of the attribute shown in Table 5-4. If you do not specify a DOS path name with the attribute change, the program changes the attributes of the current directory.
[DOS pathnames] specifies the complete DOS path name (directory/subdirectory/filename). Note that you can specify more than one DOS path name with this command; leave a space between path names. If you do not specify a path, the program assumes the current directory.
[/SHOW] tells the program that you want it to display all the attributes that are currently ON for the directory and/or file specified ([DOS pathname]). If you do not specify a DOS path name with [/SHOW], the program displays the attributes that are ON in the current directory. When using this switch, you can abbreviate it to /S, /SH, or /SHO.
[/HELP] displays the syntax information for the command. If you make a syntax error in entering the command, the program displays this help information.
Example Turning On Read Only
To turn ON the Read Only attribute on the file, JANUARY.RPT, in the current directory, enter the following at the DOS command line:
SETATTR +RO JANUARY.RPT
The program confirms the change by returning the message:
+RO E:STATUSJANUARY.RPT
Example Turning Off Read Only
To turn off the Read Only attribute for two files, enter:
SETATTR -RO FEBRUARY.RPT MARCH.RPT
The program confirms the change by returning the message:
-RO E:STATUSFEBRUARY.RPT -RO E:STATUSMARCH.RPT
Example Using Show
To display the attributes that are ON for this file, enter:
SETATTR JANUARY.RPT /S
The program returns the attributes that are ON for the file:
+RO +NR +ND E:STATUSFEBRUARY.RPT
Example Using /HELP
To display the syntax for the command, enter:
SETATTR /H
Note in the last two examples, you do not have to enter the entire switch text, only the first letter.
From the SETATTR menu, you can manage the attributes for only one file or directory at a time. However, you can change the path name and you can see simultaneously the VFS composite set of attributes and the attributes of either the DOS or Macintosh file system.
When you edit attribute settings in the menu, changes you make to the DOS or Macintosh column are reflected immediately in the VINES column, and vice versa. To understand the changes, refer to Table 5-5 and Table 5-6. These tables show how DOS and Macintosh attributes correspond or map to the VFS composite set of attributes for files and directories.
Note: VFS does not maintain a record of a "Saved" file system view for SETATTR as it does with the SETARL program.
Tables 5-5 and 5-6 show how DOS and Macintosh attributes map to VINES attributes. The mappings described in Table 5-5 apply to DOS directories and files; those in Table 5-6 apply to Macintosh folders and files. Where a single DOS or Macintosh attribute corresponds to multiple VINES attributes, note that you must change all of the VINES attributes before the DOS or Macintosh attribute changes.
Accessing the Set Attributes Menu
The Set Attributes menu allows you to see, change, or copy the status of attributes for a directory or file. You can open the menu by entering this version of the SETATTR command at the DOS prompt:
SETATTR [DOS pathnames] [/View:file_system]
where [DOS pathnames] is the complete DOS path name of the directory or file whose attributes you want to see, edit, or copy. While the menu can display attributes for only one directory or file at a time, you can view the attributes of several directories or files in succession. If you enter multiple path names at the DOS prompt, the attributes of the first path name appear in the menu first; to view the attributes of each succeeding path, press F10.
The Set Attributes menu displays the composite set of VINES attributes alongside the attributes for the DOS or Macintosh file system. The default display is DOS and VINES. To display the Macintosh file system's attributes, use the [/View:file_system] switch.
Example Specifying a View
As in the SETARL command, the Macintosh file system is abbreviated with M, as shown in the example below.
SETATTR JANUARY.RPT /V:M
This example displays the Set Attributes menu for a file in the current directory (STATUS) called JANUARY.RPT, with the Macintosh and VINES attributes listed, as shown below.
The Macintosh file system view appears on the left side of the screen, while the VINES view appears on the right side. The display shows the mapping of the client file system attributes to the VINES attributes. The Locked attribute maps to the VINES Read Only, No Delete, and No Rename attributes. The Locked attribute is OFF because the VINES No Rename attribute is OFF. Without No Rename, the Locked attribute cannot be ON.
The F4 key lets you toggle between the DOS and Macintosh views. From the Macintosh view, you would press F4 to display the DOS view.
Users can select from the commands in the SETATTR menu to:
Change Path. Display the attributes of another directory or file.
Edit Attributes. Change the status of attributes for the directory or file shown in the Path field.
Copy Attributes. Select and copy attributes to another directory or file.
The next three sections show the screens for these commands.
Selecting the Change Path command from the Set Attributes menu displays the following data entry screen.
Press F5 in the above screen to display the Select Pathname screen.
The left and right arrow keys let you display different directories or subdirectories. Use the arrow keys to highlight a directory or file name and press ENTER. The SETATTR main menu returns, displaying the attributes for the newly selected directory or file.
When you select Edit Attributes, the cursor moves to the lower part of the screen, under the first letter of the first attribute in the native file system list. The menu changes, as shown below.
Changing Attributes. To change the attribute status, press ENTER. To move the cursor up and down the lists or between the two lists, use the arrow keys. See the on-line help text for details.
Saving Changes. To save your changes, press F10. To cancel your changes, press ESC. The program queries:
By default, YES is highlighted. If you press ENTER, you return to the Edit Attributes screen. To exit the SETATTR menu without saving any changes, press the right arrow key to highlight NO, and then press ENTER.
If you entered multiple directory or file names at the system prompt, the F10 key explanation reads, "Done with this file." After editing the attributes for the first directory or file, press F10 and the attributes for the next directory or file you specified at the system prompt are displayed. Continue editing and pressing F10 until the attributes for the last directory or file are displayed. When you press F10 after editing these attributes, the SETATTR main menu appears.
When you select Copy Attributes, the following data entry screen appears.
To copy the attributes to all the subdirectories and files in a directory, press F2.
To copy the attributes to all the files in the current directory, enter the wildcard, *.*. Wildcards may be used for groups of files also. For example, *.doc.
To select the destination name from a list, press F5 to display the Select Destination screen.
As in the Select Path screen, the left and right arrow keys let you display different directories or subdirectories. Where files and subdirectories are mixed within a directory, they appear in alphabetical order, with file and subdirectory names mixed.
Note: You can copy attributes of files to other files and directories. If you copy from a file to a directory, you receive a warning message if any of the file attributes that do not apply to the directory are ON.
Using SETATTR on 4.xx File Services
If you are working on a 5.xx or later workstation and the file service you are working with is a 4.xx file service, you can do one of the following:
Use the SETATTR command at the DOS command line as you would with 4.xx VINES file services. Use the menu interface designed for 4.xx VINES file services, shown below.
Note that you can set only the VINES attributes with this menu. Use the commands in the same way as described in the preceding sections.
Using SETATTR on a Local Drive
To change attributes on files on a local file volume, you can do so with either the command line or menu interface of the VINES SETATTR program. On a local file volume, you can work with files only.
At the DOS command line, change to the local drive and directory. Then enter the SETATTR command as you would if you were working with files on a network drive or directory, that is, enter the pathnames of the files with the SETATTR command. The command responds with information about the DOS attributes of the files. When using the menu interface, use the Change Path command to change to specify the pathnames of the files you want to work on. Use the other commands in the same way as described above. The menu reflects that the file volume is on a local drive and shows only the appropriate DOS attributes.
For example, at the DOS command line, enter
C:
SETATTR C:\MYFILES\CHAP02.DOC
To use the menu interface, select CHANGE path and enter the pathname of the file, for example, C:\MYFILES\CHAP02.DOC.
In both cases, the screen appears as in Figure 5-10.