In ClearCase , how to apply file permission to specific group?

vber70's picture
vber70 asked on February 23, 2011 - 9:03am | Replies (6).

I need to give file permissions to a specific users only.

My steps:
Setting up new CC group.
Add new group to the CC profile of people who should access to files.
Add new group to VOB.
Change file protection to new group.
Defined permission 770 to files.

But users still do not have access the files!!!!

6 Answers

pdhaggerty's picture
pdhaggerty replied on February 23, 2011 - 9:16am.

You at the least need to have 775 perms you may have directory that is not in the group and having zero for other may be an issue. Also what is the current group membership details of the VOB and the user(s). Unix or windows and or inter-opt?

vber70's picture
vber70 replied on February 23, 2011 - 9:47am.

For example:
I have VOB [b]XXX[/b].
VOB ownership:
owner a
group b

VOB include frolder [b]ss[/b] and files: [b]1.txt , 2.txt [/b](permission to files : owner a 707, group b 707 other 000)

User have primary group zz + secondary group b.
I want to allow access to files just to user with b as secondary group.

I am working on Windows.

martina's picture
martina replied on February 23, 2011 - 4:21pm.

770 is right. 775 means that others, i.e. the world has read access.

Did you only change permissions for the files or also for the parent directory? The permissions of the parent directory come into play as well.
You will want to change the permissions for the parent directory to 770 and not mix files that need to be locked away with files that need to be readable to the world in the same directory.

And if you need it to be seriously hacker proof, this solution won't hold up as the vob storage is most likely readable. It takes a very determined hacker to find their way through there, but ...

hth

Marc Girod's picture
Marc Girod replied on February 23, 2011 - 4:22pm.

[b]pdhaggerty wrote:[/b]
[quote]You at the least need to have 775 perms[/quote]
I believe it is technically possible to have 0 for world, at least in a standalone setup, with local storage.
One problem is with generating cleartext containers, one with MultiSite, one with backup.
These are different contexts in which one needs access.
In any case, protectvob does not affect the pools.
So, one needs also vob_sidwalk (beware the .identity directory on UNIX!) or fix_prot.
There's a technote on the different tools.
Marc

martina's picture
martina replied on February 23, 2011 - 4:23pm.

p.s. and make sure that the user you are testing the "has no access" with isn't an element owner

martina's picture
martina replied on February 23, 2011 - 4:26pm.

what Marc says in more detail is what I was eluding to. If you are looking only via a view using cleartool protect will keep out the regular user.
The vobstorage is still open to hacking.
If you need real protection, you need to put all the files you want protected in a separate vob and have its vobstorage in a separate dir and protect that separate dir so only the group with permissions (and ClearCase itself) can read what is in there

CMCrossroads is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.