topic Re: setgid and setuid in Operating System - OpenVMS

setgid and setuid

Sandeep_30 — Tue, 22 Mar 2005 12:42:53 GMT

I am unable to change the identity of the user and the group using c system calls setgid and setuid.

Can you please take a look and let me know what I am doing wrong ? Is their a better way to do the same ?

I have attached my test program along with this attachement.

Below is the output of the program.

Thanks
Sandeep

$ changeid :== $SYS$SYSDEVICE:[MYTEST.MYJOBS]changeid.exe
$ set process /priv= all
$ changeid qa
Original Value : uid = [8388754] and gid = [128]
*** qa information ***
pw uid : 8388755
pw name : qa
pw dir : SYS$SYSDEVICE:[QA]
pw gid : 128
*** start Method1 : changeIdentity() ***
start : Inside changeIdentity. uid = [8388755] and gid = [128]
New Value : uid = [8388754] and gid = [128]
end : Inside changeIdentity.
*** End Method1 : changeIdentity() ***

*** start Method2 : changeIdentity1() ***
start : Inside changeIdentity1. uid = [8388755] and gid = [128]
New Value : uid = [8388754] and gid = [128]
end : Inside changeIdentity1.
*** End Method2 : changeIdentity1() ***
parent done.

PS : I am using HP OpenVMS Industry Standard 64 Operating System, Version V8.2

Re: setgid and setuid

Hein van den Heuvel — Tue, 22 Mar 2005 13:05:35 GMT

Hmmm, are you in a context with POSIX IDs enabled?
With POSIX IDs disabled, setuid and setgid serve no function and just return succes for portability purpose.

Does it work for you on an other VMS version?

What problem are you trying to solve?
VMS has many advanced sercurity features like 'identifiers' which may be better suited to solve the 'real problem', perhpas access to an object.

hope this helps a little,
Hein.

Re: setgid and setuid

Sandeep_30 — Tue, 22 Mar 2005 14:54:31 GMT

Hein,

Thanks for the reply.

I am new to openVMS and after looking at your reply about setuid and setgid as just place-holder, I am puzzled how to port the UNIX code to OVMS ? I do not have POSIX enabled.

The only OpenVMS machine I have is I64 - v8.2

Below is a brief description of what I am trying to do -

Change users and group then either spawn or create a new process to run a file. Once the file is run change back to original user.

eg :
As original user (TEST) if the .com file has a command "sh proc". The run results should be

22-MAR-2005 13:49:37.97 User: TEST Process ID: 0000BD8B
Node: OVMS01 Process name: "_TNA77:"
....
....

If I change the user (lets say QA) and if the .com file has a command "sh proc". The run should results in

22-MAR-2005 13:49:37.97 User: QA Process ID: 0000B231
Node: OVMS01 Process name: "_TNA78:"
....
....

Is their a way to accomplish this ? Does this explaination help ?

Sandeep

Re: setgid and setuid

Hein van den Heuvel — Tue, 22 Mar 2005 15:26:26 GMT

Right. I suspected that. Unfortunately I am a little short in time just now, so I can not give a full explanation.

Basically this is NOT the way thinks are done under VMS.
You are one user and you stay that use.
How else can you have proper security, accounting, and so on.

If you are a privilled use you can SUBMIT a job under a different name, or CREATE A PROCESS (SYS$CREPRC) under a differnt user name, but that is done for exceptions, not as rule.

The rule is to give, or deny, a user the right to use certain objects (files) or not.

So now I would want you to drill down one level deeper. Why do you think you need to change user ID. Why can the current user not do the job and what would it take (securely) to allow the current user to do that job.

Please be sure to start reading up on VMS security a little.

Regards,
Hein.

Re: setgid and setuid

Ian Miller. — Wed, 23 Mar 2005 04:25:08 GMT

See
http://h71000.www7.hp.com/doc/82FINAL/5763/5763pro_005.html#long_and_posix_gid_sec
for information on posix style identifiers.
However consider carefully the advice to look at why the program changes uid.

Re: setgid and setuid

Jan van den Ende — Wed, 23 Mar 2005 05:28:50 GMT

Sandeep,

Welcome to VMS!!

I am assuming you are doing this because there is some functionality (like running a program) that TEST is not allowed, but QA is allowed.

The standard way to do this in VMS is to create IDENTIFIER (not user!) QA (and all others that you identify as separate functionalities to be allowed or disallowed).

You protect the objects that are needed to perform the function to be ALLOWED by holders of the identifier, else disallowed.

And in the authorisation, you (as in: the system manager) GRANT the relevant identifiers, say QA, to user SANDEEP and HEIN, but not to JAN. Now the first two can use the functionality QA.
You grant identifier ITRC to SANDEEP and JAN.
Result those two can do ITRC (whatever that does), and HEIN can not.
Next application: BLABLA
Grant BLABLA to HEIN, IAN, and JAN.
-> BLABLA is available to those 3, not to SANDEEP.

-- if you are familiar with those principles, then there are refinements like DYNAMIC identifier, which can be swithced off and on, and SUBSYSTEM identifiers, which are intended to allow access to certain objects (mostly files) only WHILE executing an certain image that has that identifier, but NOT in any other way.

All this together allows fine-grained, individually authorizable, secure, and auditable access control, with very little System Admin overhead.

Example of that: we maintain an environment with 8000+ users, 20 different applications, (each with separate PROD, TEST, and TRAIN access, each with various authorisation levels), and 1200 separately granted projects. Om avarage 250 authorisation mutations per week.

All done with identifiers, and requiring a total maintenance effort of less than one workday per week.

And it is ALL fully auditted, and every application use of every single user is identifiably traced.

Let me finish with repeating Hein's final advice:

Please be sure to start reading up on VMS security a little.

Success!

Proost.

Have one on me.

Jan

Re: setgid and setuid

Sandeep_30 — Thu, 24 Mar 2005 19:18:37 GMT

Many thanks for the reply. The advice I received has been extemely helpful.

I have been experimenting with the persona and ACL related system calls.

I am running into trouble after the program assumes the role of new persona.

My account has "system", "impersonate" and "group priviledge".

The error I am seeing is,
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation

I am including my test program, output along with the contents of the file I a trying to access.

Appreciate your help.

Thanks
Sandeep