Newsgroups: comp.sys.apollo
Path: utzoo!utgpu!news-server.csri.toronto.edu!helios.physics.utoronto.ca!alchemy.chem.utoronto.ca!system
From: system@alchemy.chem.utoronto.ca (System Admin (Mike Peterson))
Subject: Re: ignoring umask and ownership when creating files ...
Message-ID: <1991Feb20.201336.23750@alchemy.chem.utoronto.ca>
Organization: University of Toronto Chemistry Department
References: <1991Feb20.052633.3894@wpi.WPI.EDU>
Date: Wed, 20 Feb 1991 20:13:36 GMT

In article <1991Feb20.052633.3894@wpi.WPI.EDU> ajb@wpi.WPI.EDU (Arthur J. Butler) writes:
>hi,
>
>i've recently installed 10.3 (large aegis and bsd) on our dn3500.  i
>used import_passwd and syncids to create the accounts.  i created a
>directory /usr/users where the home directories will be located.  root
>owns this directory and the mode is 755.  in /usr/users i have a
>directory called ajb (owned by ajb with 755 permissions).  when user
>ajb logs in, all files he creates in his home directory are owned by
>"none" and his umask is totally ignored.  when user ajb creates a file
>in /tmp, then the file ownership is ok but again the umask is ignored.
>this is all operating under bsd4.3 environment using csh.

Make sure that the directory /usr/users (and /tmp probably) has
"Berkeley ACLs" - see the 'chacl' command. The idea is:
	chacl -R -B /usr/users
	cd /usr/users
	foreach $username (*)
	   chown -R $username.group $username
	end
	chacl -B /sys/node_data/tmp
	chmod 777 /sys/node_data/tmp
where 'group' is the desired group. The chacl command recursively
applies BSD directory/file inheritance properties onto /usr/users
(so that the umask will then be used as the mask for permissions, and
the group will be inherited from the directory a la BSD),
and of course the chown fixes all the existing files and directories.
You will probably also have to chmod existing files/directories.
The Apollo default permissions are not umask-based (instead fixed
rights will be applied and a fixed owner/group will be applied), and
will be used for all new files/directories by default.

You can 'chacl -B' most of the /bsd4.3 and /usr tree without problems.
WARNING - while you can safely chacl -B much of the file system, do not
do this on /sys.

I have protection scripts that will close up a SR10.x (x=0,1,2,3)
BSD node as tightly as possible, and will also force proper
ACLs/permissions onto all files/directories, including the /sys tree.
They do a preliminary job on SYSV and /com, and disable most dangerous
commands from normal users, and also set privacy ACLs on mail, etc.
These scripts should be available in the ADUS library (but won't handle
SR10.3 completely - they'll come close though), or given sufficient demand,
I will post them here. It appears that closed ACLs as of 10.3 come
pretty close to a real UNIX system, but I won't find out for sure until
I do an install onto a newly invol'ed disk. SR10.[012] were no where near.
-- 
Mike Peterson, System Administrator, U/Toronto Department of Chemistry
E-mail: system@alchemy.chem.utoronto.ca
Tel: (416) 978-7094                  Fax: (416) 978-8775
