Museum

Home

Lab Overview

Retrotechnology Articles

⇒ Online Manual

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

getdirmode(1)

getmac(1)

rm(1)

rmdir(1)

setdirmode(1M)

setmac(1M)

dg_mkmldir(2)



mkmldir(1M)              DG/UX B2 Security R4.12MU02             mkmldir(1M)


NAME
       mkmldir - make a multilevel directory

SYNOPSIS
       mkmldir [-m mode] [-q] dirname

   where:
       mode     The permissions to set on the directory
       dirname  The name of the directory mkmldir tries to convert to a
                multilevel directory.  If dirname does not exist, it will be
                created.

DESCRIPTION
       The mkmldir command converts an existing regular directory into a
       multilevel directory.  If the directory doesn't exist, it is created.
       mkmldir will not complain if it is passed a directory that is already
       a multilevel directory.  However, if passed a hidden directory,
       mkmldir will fail.  If the target of the mkmldir command is also the
       invoker's current working directory, the command will fail.

       NOTE:  While in virtual directory mode, a user must have DAC and MAC
              access to the multilevel parent directory in order to access
              the hidden directories.  Thus, you must be very careful to
              create the multilevel directory such that intended access is
              always granted.  The recommended method of doing this is to
              first create the directory with mkdir, set the appropriate DAC
              with setacl, set the MAC label on the directory with setmac,
              and then use mkmldir to convert it into a multilevel
              directory.  Note that if you set the MAC label to anything
              higher than IMPLEMENTATION_LO, this will effectively prevent
              the creation of files in the multilevel directory by a
              nonprivileged process whose clearance does not dominate the
              MAC label of the multilevel parent directory.  Privileged
              users will still be able to create files (and therefore the
              corresponding hidden directory) in the multilevel directory,
              regardless of the MAC label on the multilevel parent
              directory.

              If a user cannot access a multilevel directory, all debugging
              of this problem must be done from real directory mode.  Any
              action taken in virtual directory mode will only affect the
              hidden directory corresponding to your process clearance.

       NOTE:  Care must be taken when using the mkmldir command that no one
              has the target directory open, and that no process has the
              target as its current working directory.  This will cause any
              files created by the process in that directory to be in the
              MLD (parent) directory, rather than in the appropriate hidden
              directory.  The fuser command may be used to ensure that no
              process currently has the directory open.  An additional
              precaution that can be taken is to first enter real directory
              mode (setdirmode -r), set the MAC and DAC access modes of the
              directory such that no other process can access it, and then
              use the fuser command to ensure no one has the target
              directory open.  Then convert it to a multilevel directory,
              set the DAC and MAC attributes as desired, and exit real
              directory mode.

   Options
       -m     causes mkmldir to set permissions on dirname (the multilevel
              parent directory) to mode, if it is created. If dirname
              already existed, this option has no effect.

       -q     prevents mkmldir from writing diagnostic messages.  The usage
              error message is always written.

       mkmldir does not alter the access ACL, default ACL (if present), or
       MAC label of the directory being converted.  The access and default
       ACLs are inherited without modification by all hidden directories as
       they are created.  Note that this ACL "inheritance" is a function of
       the semantics of multilevel directories and does not function the
       same as true ACL inheritance during subdirectory creation.  Hidden
       directories are not subdirectories in virtual directory mode; rather,
       hidden directories masquerade as the parent MLD directory, and this
       is the reason for the difference in semantics.

       To remove a multilevel directory, the invoking process must be in
       real directory mode and then issue the command rmdir mldir_name or rm
       -r mldir_name.

EXAMPLE
       The following example follows the recommended procedure for creating
       a multilevel directory which has a default ACL and an access ACL
       which allows everyone other than fred read/write/search access,
       allows fred only search access, and prevents nonprivileged users at a
       label that does not dominate SECRET from creating files in the MLD.

       $ mkdir dir_abc
       $ setacl -d -i "u::rwx,g::rwx,o::rwx,u:fred:00x" dir_abc
       $ setacl -i "u::rwx,g::rwx,o::rwx,fred:00x" dir_abc
       $ setmac secret dir_abc
       $ mkmldir dir_abc

DIAGNOSTICS
       The mkmldir command exits with one of the following values:

          0   The multilevel directory was successfully converted or
              created.

          1   MAC or multilevel directories are not supported on this
              system.

          2   The invoking process could not create the multilevel
              directory.

          3   mkmldir usage is wrong.

SEE ALSO
       getdirmode(1), getmac(1), rm(1), rmdir(1), setdirmode(1M),
       setmac(1M), dg_mkmldir(2).


Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026