Administrator's Guide for Rational ClearCase LT, Release 2002.05.00, All Platforms

20.3 Utilities for Fixing Protection Problems

ClearCase includes three utility programs for fixing protection problems on Windows:

ccase-home-dir\etc\utils\vob_sidwalk.exe repairs permissions on VOB storage directories. It can also be used to change ownership on VOB objects. For details, see Using vob_sidwalk to Change or Update VOB Users and Groups.

ccase-home-dir\etc\utils\fix_prot.exe repairs permissions on VOB or view storage directories

ccase-home-dir\etc\utils\lsacl.exe displays NTFS DACLs for file-system objects

fix_prot

fix_prot [-f·orce] { -root [-r·ecurse] [-recover {-chown user | -chgrp group } |
-replace·_server_process_group|
[-r·ecurse] [-type { d | f }] [-chown user] [-chgrp group] [-chmod permissions] } pname ...

Options

-f·orce: Do not prompt for confirmation.
-r·ecurse: Recursively fix protections.
-root: Specifies that pname is a VOB or view storage directory root.
-type: Specifies the type of file-system objects to fix. Use d for directories and f for files. If -type is not specified, fix_prot operates on both directories and files.
-chown: Specifies the new owner. Mandatory with -root.
-chgrp: Specifies the new primary group. Mandatory with -root.
-chmod: Specifies the new access rights: owner, group, other (world). Both symbolic and absolute codes are valid, such as go-x (symbolic) or 0644 (absolute).
-recover: (Windows only.) Restores correct file system ACLs in a view storage directory based on the information in the view's identity.sd and groups.sd files. Not valid on VOB storage (use vob_sidwalk -recover_filesystem instead).
-replace·_server_process_group: (Windows only.) Replaces ACL entries for the ClearCase administrators group. Use this option if you have changed the ClearCase administrators group name or have moved a view to a new domain that has a different SID for this group.

Examples

To create a UNIX .identity directory after moving a VOB from Windows to UNIX. The VOB has been moved to the storage directory /vobstg/winvob.vbs. The new owner is vobadm and the new group is ccusers. You must run this command as root.

ccase-home-dir/etc/utils/fix_prot -root -recurse -chown vobadm -chgrp ccusers
/vobstg/winvob.vbs

To repair ACLs damaged when a view storage directory was coped to C:\ClearCaseStorage\integration.vws using a copy utility that did not preserve Windows ACLs:

ccase-home-dir\etc\utils\fix_prot -root -recover C:\ClearCaseStorage\integration.vws

To display the protection modes Clearcase associates with the directory E:\vobstg\myvob:

ccase-home-dir\etc\utils\fix_prot E:\vobstg\myvob
drwxr-xr-x MYDOMAIN\me MYDOMAIN\mygroup E:\vobstg\myvob

NOTE: fix_prot may return an error message that begins with the following text:

fix_prot: Error: unknown style protections on foo: The data is invalid.

If it does, you must rerun fix_prot and specify all of the -chown, -chgrp, and -chmod options with the absolute codes. For example:

ccase-home-dir\etc\utils\fix_prot -chown owner -chgrp group -chmod 0666 pname

lsacl

lsacl [ -s | -l ] [ -n ] [ -f ] path-name

Options:

-s | -l: Specifies short or long format; displays generic rights, by default.
-n: Specifies that the numeric security ID (SID) is not to be translated into the user's name. Use this option if the domain controller is down or if the user's account has been removed.
-f: Reads a security descriptor from a file; allows you to display the contents of the identity.sd and groups.sd files.

Note that you can also use %SystemRoot%\system32\cacls to display a DACL, but cacls cannot read a security descriptor from a file.