- Integrated Systems
- About Us
- Integrated Systems
- About Us
10-08-2008 12:48 PM
"What is the proper torque to tighten a bolt"
The answer to your question is:
It depends on what protection is applied to the file, and how they apply to the process requesting the deletion. The process needs delete access to the file, and write access to the directory that the file is entered in.
If you want to be able to delete the file regardless of the protection, then the VMS privilege that will grant that is BYPASS. But hopefully that isn't available.
10-08-2008 01:33 PM
Please consider the possibility of using an ACL to permit deletion of the file. That will remove the need for any privilege (although the anointed users will need to hold the Identifier). This is also a far easier alternative for auditors to accept.
The privilege level, on the other hand, can be easily mis-used. Depending upon where the file is and how it is protected, GRPPRV or SYSPRV suffice for most files. However, each is more easily abused (in increasing order of severity).
As mentioned earlier in this post, whenever similar situations arise at clients, I always recommend using ACLs and identifiers, it is far safer.
- Bob Gezelter, http://www.rlgsc.com
10-08-2008 01:56 PM
appropriate protection on the file can help.
If that's too hard, then an ACL can help.
If that's too hard, then BYPASS can help.
> [...] I am required to replace the BYPASS
> priviledge [...]
"privilege". ("HELP SET PROCESS".)
Why did you need BYPASS before? How many
other good suggestions will you say are not
allowed only after someone has made them?
It's often helpful to describe the actual
problem to be solved, including the
constraints on the solution, rather than to
ask how to implement some particular
(possibly lame) (non-)solution to that
10-08-2008 02:10 PM
Another approach is an image that is installed with BYPASS (or configured with a subsystem identifier) that can perform necessary verifications and delete the file as appropriate.
But in seriousness here, the lack of background information and the lack of a general problem description means no certain answer is possible. We can guess.
10-08-2008 03:13 PM
>> What are the necessary priviledges to be able to delete a VMS file using the F$SETPRV() lexical?
None. It is impossible to delete a file with the F$SETPRV lexical on matter how hom many privs you throw at it.
Sorry... couldn't resist.
>> I am required to replace the BYPASS priviledge with other priviledges so that I will not have to use the BYPASS priviledge.
And rightly so. BYPASS is scary and should only be used as last resort.
Other have pointed the SYSPRV, or having a UIC under SYSGEN MAXSYSGROUP may be a handy and slightly less dangerous option. ACLS and identifiers are often the cleanest and clearest way to go.
10-09-2008 02:37 AM
If the application _requires_ BYPASS, it should NEVER have been deployed. Period.
BYPASS is, as Hein said, a last resort, to be used if, and only if, anything else fails. And YOU should be in control. Not some piece of software.
As all have said already, there are alternatives, and the application should have been developed, tested and deployed using the alternative. It should only have the privilege it realy needs on the moment it really needs them.
BYPASS should NEVER be one of them.
If you developed the application yourself, return from your dwellings and take the right route. Use ACL's and identifiers. It's not too late :)
If you purchased the application, do NOT follow the installation manual and use ACL and identifiers as stated. If that works, fine. If not, return the package to the manufacturer to have it done the proper way. Or ban them altogether.
(sorry, couldn't resist either...)
OpenVMS Developer & System Manager
10-09-2008 05:41 AM
The DELETE command is used to delete a file (or a corresponding language function).
ACLs give or take away the right to delete a file.
Read all about it, if you want to learn or give the assignment to someone else who is qualified a capable to do it.
$HELP HINT SECURITY