$PERMIT me to talk about $FILESTATUS

The information that MTS stores about files is quite different from today’s operating systems and it also has an interesting permissions model. In this post we’ll look at this information in more detail using the $FILESTATUS and $PERMIT commands.

$FILESTATUS

$FILESTATUS, which can be abbreviated to $F, displays information about files. It takes three parameters:

Running it without any parameters lists the files owned by the current user:

 # f
   ALPHA BETA 

Use ? as a wildcard to specify what files to display. Note that this will not include temporary files; to see these you will need to do f -?. To see all files under another ID use f CCID:?; this will only list files you have access to.

The information parameter allows you to see further details about each file. To see all information MTS has, use the TOTAL parameter:

# fi ? total
  ALPHA             Size=1P, MinSaves=0P, TruncSaves=0P, MaxSize=32767P, 
   ExpFac=Def, Type=Line, RPM=0, IdleDays=36525, Lines=1, Holes=1, Avlen=19, 
   MaxLen=19, AvailSpace=2969, MaxHole=2969, Create=Nov15/14, 
   LastRef=Nov15/14, LastCatalog=Nov15/14, LastData=10:30:46 Nov15/14, 
   Volume=MTS600, Owner=ST03, Loc=3380, UseCnt=3, PKey=*EXEC, 
   FullAccess=Unlim Owner, None Others 
  BETA              Size=1P, MinSaves=0P, TruncSaves=0P, MaxSize=32767P, 
   ExpFac=Def, Type=Line, RPM=0, IdleDays=36525, Lines=0, Holes=1, Avlen=0, 
   MaxLen=0, AvailSpace=2990, MaxHole=2990, Create=Nov15/14, LastRef=Nov15/14,
   LastCatalog=Nov15/14, LastData=10:30:59 Nov15/14, Volume=MTS600, 
   Owner=ST03, Loc=3380, UseCnt=1, PKey=*EXEC, Empty, FullAccess=Unlim Owner, 
   None Others 

Let’s look at each of these

Instead of showing all this you can specify individual items to display:

# fi ? lines avlen
  ALPHA             Lines=1, Avlen=19 
  BETA              Lines=0, Avlen=0 

Finally, the format parameter determines how the information selected will be displayed. You can choose name=value pairs, columns or packed, with options for headers, spacing and indentation. For example:

# fi ? col spacing=3 create lastref


   File name        Create   DateLast 
                    Date     Referenc 
 


  ALPHA             Nov15/14 Nov15/14 


  BETA              Nov15/14 Nov15/14 

$PERMIT

The $PERMIT command, or just $P, takes three parameters

You can also selectively clone permissions from one file to another with the syntax $PERMIT files1 LIKE files2 EXCEPT access_level.

There are six basic categories of access level:

These can be combined using various aliases, for example RW allows the first three categories above, N specifies no access and U unlimited access

The users parameter allows you specify a single user ID or even a wildcard user ID (like ST0?) as well as other combinations:

*PERMIT will show the current level of access after each command. Some examples:

# permit alpha r st01, rw st02
  Access to file "ALPHA" is now Read ST01, RW ST02, Unlim Owner, None Others
# permit alpha d st0?, read others
  Access to file "ALPHA" is now Read ST01, RW ST02, Unlim Owner, Destroy ST0?,
   Read Others

Program keys

You may want a file to be only accessible when run by a certain program. In Unix the solution is setuid, where when a program is run your user ID temporarily becomes the user ID of the program so it can access files owned by that user ID. This can lead to security issues though, eg if a buffer overrun in the program can be exploited to allow access to other files.

MTS has a better solution: each program can have a key, and access to a file can be granted to that key. You can then run a privileged program under your normal ID.

One example is the *CKID program that runs at sign on for certain shared IDs and checks which secondary IDs can use that ID. The config file, CKID:ACCESS should only be accessible to that program, so it is permitted to the pkey for *CKID:

# fi ckid:access access
  CKID:ACCESS       FullAccess=None Others, Read Pkey=*CKID 

You can set this up for your own programs by setting a pkey for the executable and then permitting access. Say you have a database program MYDB which is the only way a user should access the database file DBFILE. First set a program key:

$CONTROL MYDB PKEY=MYDB

and then permit access:

$PERMIT DBFILE RW PKEY=MYDB

Further information

See the online help for $FILESTATUS and $PERMIT, and a detailed write up in MTS Volume 1.

Comments

comments powered by Disqus