<<< VAXAXP::NOTES$:[NOTES$LIBRARY]VMSNOTES.NOTE;1 >>> -< VAX and Alpha VMS - Digital Internal Use Only >- ================================================================================ Note 718.4 Protection checks question 4 of 4 AUSS::GARSON "achtentachtig kacheltjes" 58 lines 18-APR-1996 18:49 -< the old phone in the shoe trick >- -------------------------------------------------------------------------------- re .3 >The gratuitious ACE is derived from the creator ACE, or (if undefined) >the owner field of the default protection ACE of the parent directory, >of (if undefined) the process default RMS protection, or (if undefined) >the system default RMS protection. This doesn't seem exactly right to me. Quoting from some rambling I posted a long time ago ... For VMS V5 see "Guide to VMS System Security" "4.5.2.2 Default ACL Protection : : In addition, when you create a file whose owner identifier is not your UIC (by explicitly naming a file owner or through the ownership defaulting rules presented in Section 4.4.5), an ACE that grants CONTROL access to your UIC plus the access available to the owner of the file is added to the file's ACL." This ACE is colloquially known as the gratuitous ACE. What the documentation doesn't make clear is that by "access available to the owner" it means the access in the OWNER field of the protection (which may be less than the actual access available to the owner if there is an applicable ACE). The documentation also does not mention that the gratuitous ACE is not added for suitably privileged users e.g. BYPASS, SYSPRV, implicit SYSPRV due to system UIC, READALL(V5 only). The problem with the gratuitous ACE is that the access it grants may be less than that which the creator would otherwise have by virtue of later ACEs. For non-directory files the default protection comes from one of: the lower version, the DEFAULT_PROTECTION ACE, the process's current default protection, in that order. For directory files the default protection comes from the parent directory *but* delete access is always removed from each category of user (system,owner,group,world). (This is for historical reasons and is now wholly inappropriate.) Consequently when the gratuitous ACE is calculated from the owner access there is no delete access granted by it. VMS V6 fixes this problem through the concept of a "creator ACE". Where a gratuitous ACE is needed, the creator ACE on the containing directory defines explicitly the access that will be granted to the creator. See the V6 version of the above-mentioned manual, section 4.8.4.5. If there is no creator ACE then VMS falls back to the V5 behaviour. It seems that if the creator ACE explicitly grants ACCESS=NONE then no gratuitous ACE is added - which gives the behaviour that we really want.