https://community.hpe.com/t5/operating-system-openvms/execute-acces-on-sysuaf-dat/m-p/3821315#M77482 The original question is about the risk of execute only access for world.<BR /><BR />One way of restricting this risk would be to add an ACL with a ACE grating execute access to holders to a specific idenitifer. Then grant that identifier to users who need to run a task under the scheduler.<BR /><BR />I think that the locking problem mentioned above needs read access. Tue, 11 Jul 2006 09:58:22 GMT Ian Miller. 2006-07-11T09:58:22Z https://community.hpe.com/t5/operating-system-openvms/execute-acces-on-sysuaf-dat/m-p/3821308#M77475 Hi,<BR /><BR />I install a patch on a third party Scheduler product ($U from Orsyp). Since this moment, I have security problems on the SYSUAF.DAT file.<BR />Users who runing task under the scheduler generate a protection error : they try to access the SYSUAF.DAT in execute mode.<BR /><BR />My question is : what is the risk to give (w:E) protection on SYSUAF.DAT. In the VMS doc I only see that execute access is to authorize to run a image or to @ a dcl file.<BR /><BR />Thanks for help<BR /><BR />Seghers Bruno Tue, 11 Jul 2006 08:26:52 GMT https://community.hpe.com/t5/operating-system-openvms/execute-acces-on-sysuaf-dat/m-p/3821308#M77475 Bruno Seghers 2006-07-11T08:26:52Z https://community.hpe.com/t5/operating-system-openvms/execute-acces-on-sysuaf-dat/m-p/3821309#M77476 Hi Bruno,<BR /><BR />Long time no see.<BR /><BR />I have no knowledge of side effects except that you can @ the sysuaf file.<BR />BTW : over here they are RE with no side effects.<BR /><BR />CU<BR /><BR />Wim Tue, 11 Jul 2006 09:02:47 GMT https://community.hpe.com/t5/operating-system-openvms/execute-acces-on-sysuaf-dat/m-p/3821309#M77476 Wim Van den Wyngaert 2006-07-11T09:02:47Z https://community.hpe.com/t5/operating-system-openvms/execute-acces-on-sysuaf-dat/m-p/3821310#M77477 Wim,<BR /><BR />setting SYSUAF.DAT to WO:RE is an invitation to hackers to try and crack your passwords.<BR /><BR />The default protection for SYSUAF.DAT would be: SYSTEM:RWED, OWNER:RWED and nothing else.<BR /><BR />Volker. Tue, 11 Jul 2006 09:11:20 GMT https://community.hpe.com/t5/operating-system-openvms/execute-acces-on-sysuaf-dat/m-p/3821310#M77477 Volker Halle 2006-07-11T09:11:20Z https://community.hpe.com/t5/operating-system-openvms/execute-acces-on-sysuaf-dat/m-p/3821311#M77478 If you give W:R to the sysuaf, a user could do open/share=read/read and thus prevent other processes from updating it. This could cause hanging processes (password changes, update date last login, etc).<BR /><BR />Wim Tue, 11 Jul 2006 09:19:15 GMT https://community.hpe.com/t5/operating-system-openvms/execute-acces-on-sysuaf-dat/m-p/3821311#M77478 Wim Van den Wyngaert 2006-07-11T09:19:15Z https://community.hpe.com/t5/operating-system-openvms/execute-acces-on-sysuaf-dat/m-p/3821312#M77479 is the product asking for execute only or read and execute (the audit entry should tell you)?<BR /> Tue, 11 Jul 2006 09:46:06 GMT https://community.hpe.com/t5/operating-system-openvms/execute-acces-on-sysuaf-dat/m-p/3821312#M77479 Ian Miller. 2006-07-11T09:46:06Z https://community.hpe.com/t5/operating-system-openvms/execute-acces-on-sysuaf-dat/m-p/3821313#M77480 Execute only Tue, 11 Jul 2006 09:49:36 GMT https://community.hpe.com/t5/operating-system-openvms/execute-acces-on-sysuaf-dat/m-p/3821313#M77480 Bruno Seghers 2006-07-11T09:49:36Z https://community.hpe.com/t5/operating-system-openvms/execute-acces-on-sysuaf-dat/m-p/3821314#M77481 I tested it and with RE your system gets in hung after open/read/share=read.<BR /><BR />In accounting : error accessing system authorization file and this for all new processes.<BR /><BR />Wonder what other files I could use in this way ... should check *.dat at least.<BR /><BR />Wim Tue, 11 Jul 2006 09:51:15 GMT https://community.hpe.com/t5/operating-system-openvms/execute-acces-on-sysuaf-dat/m-p/3821314#M77481 Wim Van den Wyngaert 2006-07-11T09:51:15Z https://community.hpe.com/t5/operating-system-openvms/execute-acces-on-sysuaf-dat/m-p/3821315#M77482 The original question is about the risk of execute only access for world.<BR /><BR />One way of restricting this risk would be to add an ACL with a ACE grating execute access to holders to a specific idenitifer. Then grant that identifier to users who need to run a task under the scheduler.<BR /><BR />I think that the locking problem mentioned above needs read access. Tue, 11 Jul 2006 09:58:22 GMT https://community.hpe.com/t5/operating-system-openvms/execute-acces-on-sysuaf-dat/m-p/3821315#M77482 Ian Miller. 2006-07-11T09:58:22Z