HPE Community
Operating System - OpenVMS
1751824 Members
4981 Online
108782 Solutions
New Discussion юеВ

Submit

 
SOLVED
Go to solution
Mulder_1
Frequent Advisor

тАО12-09-2008 12:52 AM

тАО12-09-2008 12:52 AM

Submit

I'm having a problem while submitting a job in batch with /user qualifier.

The user who is submits the job is holding the following privileges :

Authorized Privileges:
CMKRNL GRPNAM NETMBX OPER TMPMBX
Default Privileges:
CMEXEC CMKRNL GRPNAM NETMBX OPER TMPMBX

Whenever I submit the job I receive the following error :
%SUBMIT-F-INVQUAVAL, value 'APB123' invalid for /USER qualifier
-RMS-E-PRV, insufficient privilege or file protection violation

What privilege do I need to set so that the job can be submitted ?

0 Kudos
Reply
16 REPLIES 16
Jan van den Ende
Honored Contributor

тАО12-09-2008 01:03 AM

тАО12-09-2008 01:03 AM

Re: Submit

Fox,

you (also) need to be able to READ the autorisation file.

SYSPRV is one way to achieve that.

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
Mulder_1
Frequent Advisor

тАО12-09-2008 01:23 AM

тАО12-09-2008 01:23 AM

Re: Submit

Thanks for your reply...

But,the user is an operator,SYSPRIV would not get approved.

Any other way ?

Thanks
0 Kudos
Reply
labadie_1
Honored Contributor

тАО12-09-2008 02:43 AM

тАО12-09-2008 02:43 AM

Re: Submit

Help submit/user

Requires CMKRNL (change mode to kernel) privilege and read (R)
and write (W) access to the user authorization file (UAF).

If you can do a submit/user=privileged_user, then why not submit a .com file doing
$ mc authorize copy system xxx/pass=yyy

Doing this is the same as giving full privileges.
0 Kudos
Reply
Joseph Huber_1
Honored Contributor

тАО12-09-2008 02:45 AM

тАО12-09-2008 02:45 AM

Re: Submit


"SYSPRV" would not be approved"

But if a user has CMEXEC CMKRNL, then he can always get SYSPRV with a little programming.
So what kind of security policy is this ? Ignorant ?
http://www.mpp.mpg.de/~huber
0 Kudos
Reply
Jan van den Ende
Honored Contributor

тАО12-09-2008 02:45 AM

тАО12-09-2008 02:45 AM

Solution

Re: Submit

Fox,

well, _SYSPRV_ would not be approved for users that have _CMKRNL_ ??
That is like a bow-and-arrow are considered too dangerous for someone who usually only carries an AK47....

But, since you are su=tuck with this, you could also set an ACL on SYSUAF that grants READ access to the operator(s).

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Reply
Robert Gezelter
Honored Contributor

тАО12-09-2008 04:08 AM

тАО12-09-2008 04:08 AM

Re: Submit

FOX2,

Note: As Labadie has noted, the HELP text indicates that Read AND Write Access are needed to the UAF.

The policy that operators do not have SYSPRV is all well and good, BUT giving them Write access to the UAF is "SYSPRV in one extra step" (A reference to chess terminology is appropriate: "Mate in one").

There are several better options for implementing this:

- set up a captive account that can be logged in and submit the job.
- use a daemon process/batch job that executes on a regular basis and checks for the presence of a work request in a file.
- (more complex) create an image that only is able to submit that task, and install that image with CMKRNL. Protect that image with an ACL, and have it automatically log its use to the audit and accounting files.

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Reply
Joseph Huber_1
Honored Contributor

тАО12-09-2008 04:46 AM

тАО12-09-2008 04:46 AM

Re: Submit

Another possibility, which enables You also to remove the CMKRNL privilege from operator account:

SUBMIT/HOLD the job from a privileged account once.
Insert a resubmit itself as the first action of the job.
Then let the operator SET ENTRY/RELEASE the job when needed. (set the necessary protection on the job or queue, by default OPERATOR privilege allows it.)

If the operator is not skilled enough to find the entry number, put the /release command into another command-file, which searches for the particular job/entry number first.
http://www.mpp.mpg.de/~huber
0 Kudos
Reply
Hein van den Heuvel
Honored Contributor

тАО12-09-2008 04:51 AM

тАО12-09-2008 04:51 AM

Re: Submit

Run this program just before the submit:

int sys$setprv(), sys$cmexec();
main(int argc, char *argv[]) {
__int64 privs = 1 << 28;
int args[] = { 4, 1, (int) &privs , 1, 0 };
return sys$cmexec (&sys$setprv, args);
}


No C compiler on the production box?

$create tmp.mar
.entry start, 0
callg args1, g^sys$cmexec
ret
.psect data,noexe
args1: .long 2, sys$setprv, args2
args2: .long 4, 1, privs, 1, 0
privs: .long 1@28, 0
.end start
$macro tmp
$link tmp
$run tmp
$delete tmp.*;

Best regards,
Hein.


Reply
Joseph Huber_1
Honored Contributor

тАО12-09-2008 05:06 AM

тАО12-09-2008 05:06 AM

Re: Submit

... continuing suggestions,
if You need more than a few specific privileged jobs to be executed from a less privileged operator, You could setup a privileged "worker" job, doing:

1.create a system-/cluster-wide mailbox, where it receives commands from operators/users.

2.loop on reading commands from the mailbox.

3. verify/dispatch/execute the actions requested in the message.

Since mailboxes allow to get also the sender identification, all kind of protection can be established here.

(3a. notify the sender about success/error)

4. loop at 2.

(Almost) all this can be programmed in DCL.
http://www.mpp.mpg.de/~huber
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.