Operating System - OpenVMS

Error accessing authorization file

 
Wim Van den Wyngaert
Honored Contributor

Error accessing authorization file

Since a few years we do a set file/prot on the sysuaf file. This every Sunday evening.

Now for the first time I got a batch job that failed to login. It got loginout.exe getting "LOGIN-F-FILEACC, error accessing system authorization file.

How can I change the file protection without getting this conflict. Is there a way for temporarily stopping all processes from doing logins (stop=hold for 0.001 sec).

Wim
Wim
23 REPLIES 23
Karl Rohwedder
Honored Contributor

Re: Error accessing authorization file

Why did you set the protection, did someone change it?
If you want 'just to be sure', you may check it beforehand using F$FILE(fil,"PRO").

And perhaps enable auditing on it to check, who changes the protection.

regards kalle
Wim Van den Wyngaert
Honored Contributor

Re: Error accessing authorization file

Yes this would solve the problem but I wanted to know in general "how can I change the protection on the sysuaf on a running system without having the risk that a process failes".

WIm
Wim
Jan van den Ende
Honored Contributor

Re: Error accessing authorization file

Wim,

I would like to play with your odds in the lottery!

Yes, SET FILE _does_ lock the target.
But, normally, for SUCH a short period that it is a challenge for statistics to hit it.

But you proved that it IS possible.

I would have argued that several other activities do also create short-lived locks on all kinds of objects, and that the designs of VMS is such, that in any fore-seen cases some way around it (eg, short wait) would be in place.
Obviously NOT all cases.

fwiw

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Hoff
Honored Contributor

Re: Error accessing authorization file

I'd consider enabling security audits on the critical files for modifications (eg: for control access, or control access attempts, etc), and then scan for any events in the auditing log. This as part of a scan for any interesting events in the audit data that might indicate signs of impending or actual trouble.
John Gillings
Honored Contributor

Re: Error accessing authorization file

Wim,

There is a way to stop logins but it won't help your immediate issue (see later...)

Your simplest solution is a retry loop. If you get a FILEACC error, just retry some "reasonable" number of times, say 20, with or even without a WAIT delay of a second or so. Unless you have an exceptionally busy system, that will work eventually. Report an error if it fails every attempt. It's a batch job so you really don't care how long it takes.

The easiest way to stop other processes from accessing SYSUAF is to open it for exclusive access. From DCL you'd have to do it in a retry loop because other processes may have it open with incompatible sharing options. But that won't help you because you'll be blocking the SET PROT yourself.

You could write a program which obtains exclusive access to the file and sets protection. I think if you use the ACP-QIO interface you may be able to do it without having to retry (low level file system - see chapter 1 of I/O Users Reference Manual), but this seems like extreme overkill to me for what you're trying to achieve.

As Karl suggested, checking the file attributes first to see if it's even necessary to attempt to change the protection will probably solve the problem. Since any process that wants to change it will have the same problem as you have.

I don't believe there's any way for you to change the protection without exposing some risk to other processes logging in. You can probably assume that an interactive or network user will simply retry if their login fails. To protect batch jobs, you could drop the queue limits to 0 before attempting to change the protection, then restore them immediately afterwards (but then you have to weigh up the risk of a failed batch login against the risk that your job will fail to restore the job limits on the queue!). I don't think there's much you can do about network jobs.
A crucible of informative mistakes
Jess Goodman
Esteemed Contributor

Re: Error accessing authorization file

I think there is a way to handle this but it's a rather complicated solution, so I would bet you would rather just work-around your problem some other way.

But FYI, you could use loginout callouts so that each step used to authorize the batch job (or logins for other process modes) is under your control.

So then if a LGI$ callback routine returns an error due to SYSUAF being locked your code could wait a bit and then retry the callback routine.

See the LOGINOUT routine chapter of the OpenVMS Utility Routines Manual.
I have one, but it's personal.
DECxchange
Regular Advisor

Re: Error accessing authorization file

I don't know if there is any reason to change the file protection on the system authorization file. I'm assuming you are referring to SYSUAF.DAT, right? You might want to also look at

$ dir/prot/owner sys$sytem syauaf.dat

I think the owner should be user SYSTEM.

I would try some other method of security on the sysuaf other than setting its protection.
EdgarZamora_1
Respected Contributor

Re: Error accessing authorization file


I don't know how many batch queues you have, but one "workaround" would be to stop/next your batch queue(s) temporarily while you do the set protection on the uaf file (also wondering why you are doing this on a daily basis) then restarting the queues after the set protection.

Wim Van den Wyngaert
Honored Contributor

Re: Error accessing authorization file

Yes but there are other processes too (network, interactive).

I think I will leave the situation as it is as on the hour of execution there is nothing important running.

Wim
Wim