topic Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ? in Operating System - OpenVMS

Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?

Jan van den Boogaard_1 — Tue, 14 Jul 2009 08:29:10 GMT

Hello folks,

Plain question:

Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?

We tested and it seems that SYSPRV and OPER are already enough. But when I do this:

MAIL> help set forward /user

SET-SHOW

FORWARD

/USER

/USER=user-name

Indicates the name of another user for whom you are setting or
showing a forwarding address. You can use the /USER qualifier
only if you have SYSNAM privilege. With the SHOW FORWARD command,
there are two ways to show a user's forwarding address: you can
specify the user name or you can use the wildcard characters (*
or %) to search for names with a particular string in common.

.... this suggests that SYSNAM *IS* needed.

What do you think?
Thks in advance.

Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?

Ian Miller. — Tue, 14 Jul 2009 08:47:36 GMT

According to the Manual you do

http://h71000.www7.hp.com/doc/82final/aa-pv5mj-tk/aa-pv5mj-tk.html

so I guess the intention is that SYSNAM is required.

Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?

Robert Gezelter — Tue, 14 Jul 2009 10:44:50 GMT

Jan,

SYSPRV is sufficient (I ran a test case on one of my OpenVMS VAX 6.2 systems).

I note that the HELP text for ASSIGN/SYSTEM is more forthcoming, in that it states that it "requires SYSNAM (system logical name) OR [emphasis mine] SYSPRV (system privilege) privilege".

I would therefore conclude that you have a reportable documentation erratum.

- Bob Gezelter, http://www.rlgsc.com

Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?

Hoff — Tue, 14 Jul 2009 11:14:43 GMT

This particular MAIL forwarding interface mimics the old logical name forwarding mechanism (which still works just fine, BTW), and that required SYSNAM privilege.

SYSPRV provides SYSNAM access based on the typical protection model in place on the logical name table.

What's your real question, rather than your "plain question"? No offense intended here, but you're not telling _why_ you're asking this, and that detail can be as important as question and the literal answer to the question; it allows us to target the answer.

As for the "plain question", the privilege model on OpenVMS is a little complex, and there is very often more than one combination of privileges that can authorize the desired operation.

And depending on what you're up to (which is why I ask why), it's entirely feasible to toss forwarding entries into a database (without requiring the caller have privileges) with an installed executable image as MAIL has a documented API. That interface is trivial to use, and I've posted examples of calling the API (though not specifically the forwarding entry points) at:

http://labs.hoffmanlabs.com/node/744

Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?

Jan van den Boogaard_1 — Tue, 14 Jul 2009 11:33:18 GMT

Hoff,

The underlying problem is that we want to grant the task of adding and modifying UAF accounts (including MAIL SET FORWARD setting) to a non-SYSTEM user, and so we want to give this user the minimal set of privileges to do this. Obvious SYSPRV is necessary toadd/modify UAF accounts, but we were not sure abount SYSNAM.

Now, the Guide to system security says also (appendix A):

The SYSPRV privilege also lets a process perform the following tasks: Task Interface
Modify a file's expiration date SET FILE/EXPIRATION
Modify the number of interlocked queue retries $QIO request to an Ethernet 802 driver (DEBNA/NI)
Set the spin-wait time on the port command register $QIO request to an Ethernet 802 driver (DEBNA)
Set the FROM field in a mail message MAIL routines
Access a MAIL maintenance record MAIL
Modify or delete a MAIL database record MAIL
Modify the group number and password of a local area cluster CLUSTER_AUTHORIZE component of SYSMAN
Perform transaction recovery, join a transaction as coordinator, transition a transaction DECdtm software

But nevertheless, I believe that you are tight: SYSPRV implies SYSNAM in the case of default protection mask of the system logical name table.

So, the sentence "You can use the /USER qualifier only if you have SYSNAM privilege." should be interpreted: "You can use the /USER qualifier only if you have SYSNAM privilege or the SYSPRV privilege."

Thanks for your reply. It is clear now. Jan.

Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?

Hoff — Tue, 14 Jul 2009 12:18:48 GMT

Why dispense any privileges here?

Use a CAPTIVE login procedure, and manage your OpenVMS environment from that environment. Or use a DECnet task-to-task approach (DCL or otherwise), and have the server end of the connection running with the necessary privileges. Either avoids issuing privileges (directly) to end-users.

Here are some high-level discussions on this general topic:

http://labs.hoffmanlabs.com/node/491
http://labs.hoffmanlabs.com/node/955

I included a chapter on this topic in the 2nd edition of the Writing Real Programs book, if you can locate a copy of that book.

SYSNAM is among the ALL-class privileges, and it's trivial to gain any (other) OpenVMS privilege should you be granted SYSNAM privilege. Differentiating users with SYSPRV or with SYSNAM isn't worth any particular effort.

Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?

Hein van den Heuvel — Tue, 14 Jul 2009 14:13:15 GMT

>> The underlying problem is that we want to grant the task of adding and modifying UAF accounts (including MAIL SET FORWARD setting)

fyi, MAIL SET FORWARD has NOTHING to do with UAF accounts. It only concerns itself with SYS$SYSTEM:VMSMAIL_PROFILE.DATA.
Entries may or might not correspond with SYSUAF entries. Often they do of course.

>> to a non-SYSTEM user, and so we want to give this user the minimal set of privileges to do this. Obvious SYSPRV is necessary toadd/modify UAF accounts,

That's NOT obvious to me.

Obviously write access to SYSUAF.DAT / VMSMAIL_PROFILE.DATA is needed. One way to accomplish that is to have SYSPRV.
But ACL's can provide a fine alternative.

Now if you give someone uncontrolled write access to SYSUAF, then you have effectively given that person SETPRV / SYSPRV and it woudl be clearer to just give that, callign a spade a spade.

But for OpenVMS Email forwarding maintenance just allowing access through an ACE probably works fine and is not too risky. (IMHO of course)

fwiw,
Hein.

Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?

marsh_1 — Tue, 14 Jul 2009 14:20:28 GMT

hi,

if you don't want direct system access maybe consider the openvms management station :-

http://h71000.www7.hp.com/openvms/products/argus/

hth

Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?

Hoff — Tue, 14 Jul 2009 14:41:56 GMT

FWIW, OpenVMS Management Station (OMS) requires a Microsoft Windows box (not everybody has those) and (last I looked) also requires a mid-or upper-end license for OpenVMS I64; EOE or MCOE.

Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?

Steve Reece_3 — Wed, 15 Jul 2009 02:10:58 GMT

You're right (of course) Hoff, though it was one of the things that I raised i a meeting in the UK when one of the guys from the UK support centre outlined the licensing on IA64. OMS became a product that needed a license again rather than being the complementary product that it was on Alpha and VAX.
Steve