Access control for elements
When you create a VOB, it has a single element: the VOB root directory. This element is the container for all other elements in the VOB. Its initial owner is the owner of the VOB, and its initial group is the group of the VOB.
- Owner. The initial owner is the user ID of the process that creates the element.
- Group. On Linux and the UNIX system, setting the environment variable CLEARCASE_MKELEM_USE_GRPLIST to true enables the
primary group intersection algorithm (the algorithm is always in effect for Windows systems). Each
operating system process has a process primary group and a process group list and each VOB has a VOB
primary group and a VOB supplemental group list. We refer to the former collectively as the process
groups and the latter as the VOB groups.
- If the process primary group matches any VOB group, then that group becomes the new element's group; else
- If the intersection of all process groups and all VOB groups yields exactly one group, then that group becomes the new element's group; else
- Element creation fails.
- Protection mode. The initial protection mode for a file system element is determined
differently on hosts running Linux or the UNIX system than on Windows® hosts.
- On Linux and on the UNIX system, if you create the element from an existing view-private file, the element has the same protection mode as the view-private file, except that no user category has write permission. If you create a file system element any other way, the element has only read permission for all user categories. If your umask is 0, a directory element initially has read, write, and execute permission for all user categories. Otherwise, the initial read, write and execute permissions are determined by the value of your umask.
- On Windows, a file system element initially has only read permission for all user categories. You must explicitly add execute permission for an element by using the cleartool chmod command. A directory element initially has read, write, and execute permission for all user categories.
An element's owner, group, and protection mode are the same for all versions of the element.
You can use the cleartool describe command or, on Windows, the Properties of Element window in Windows Explorer or HCL VersionVault Windows Explorer to display the owner, group, and protection mode for an element.
After an element is created, the element owner, the VOB owner, or a privileged user can use the cleartool protect command to change the element's owner, group, or protection mode.
Using directory elements to protect contained elements
It is inadequate to use directory protections to make the elements that they contain inaccessible. Hard links (that is, element names that exist outside the original element pathname) and access to the element through its database identifier can make an element accessible by bypassing its original element pathname. To protect an element from access, set its own owner, group, and other control bits appropriately. To automate element protection, define a post-op trigger for the mkelem command that sets the protections of new elements.
Permission to create elements
To create an element, a process must also have permission to check out a version of the directory element that will contain the new element. See Permission to write elements.
Permission to delete elements
Only the element owner, the VOB owner, or a privileged user can delete an element. Deleting an element with the cleartool rmelem command is not the same as removing the element's name from a version of a directory using cleartool rmname. For more information, see Permission to write elements.
The creator of a version, the element owner, the VOB owner, or a privileged user can delete the version.
Permission to read elements
An algorithm that considers the process's user and group and the element's owner, group, and protection mode determines whether to grant read permission for an element. See Access algorithm for VOB and view data.
Permission to write elements
A process cannot write elements directly. You modify an element by checking out a version of it and checking in a new version.
- The process has the user identity of the element's owner.
- Any of the process's group identities is the same as the element's group.
- The process has the user identity of the VOB owner.
- The process has the user identity of a privileged user.
- The process has the user identity of the user who checked out the element.
- The process has the user identity of the element's owner.
- Any of the process's group identities is the same as the element's group.
- The process has the user identity of the VOB owner.
- The process has the user identity of a privileged user.
When a directory element is checked out, you can modify the directory by creating elements or by removing elements from it. Removing an element's name from a version of a directory with the cleartool rmname command is not the same as deleting the element itself. See Permission to delete elements.
Permission to execute elements
An algorithm that considers the process's user and group and the element's owner, group, and protection mode determines whether to grant execute permission for an element. See Access algorithm for VOB and view data.
- On Windows, a file element does not have execute
permission until you add it by using the cleartool chmod command.
For example:
cleartool chmod +x command.exe
If you add an executable program to source control, you cannot execute it while it is checked in unless you take this step. (When it is checked out, you can execute the view-private file.) - On Linux and the UNIX system, when a VOB is mounted with the nosuid mount option, checked-in setuid executables cannot run.