Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

How to SPAWN from OpenVMS CAPTIVE account in Perl

 
SOLVED
Go to solution
Tan Yeok Joo
Occasional Visitor

How to SPAWN from OpenVMS CAPTIVE account in Perl

Recently our customer has some of the accounts set to CAPTIVE for security reason. In C programs, they have bit 6 of CLI$M_TRUSTED flag set, to allow SPAWNing.

How to script that in Perl ?

Cheers,
10 REPLIES 10
Heinz W Genhart
Honored Contributor

Re: How to SPAWN from OpenVMS CAPTIVE account in Perl

Hi Tan

first of all welcome to ITRC OpenVMS Forum.

Within a captive account it's not possible to use the spawn command. See the OpenVMS System Manager Manual. ftp://ftp.hp.com/pub/openvms/doc/AA-PV5MH-TK.PDF

A person using a captive account is locked into the application software where access to the DCL level is denied.

Regards

Geni
Tan Yeok Joo
Occasional Visitor

Re: How to SPAWN from OpenVMS CAPTIVE account in Perl

ThankS for the reply.

The customer has successfully made the lib$spawn call in their C programs, in those CAPTIVE accounts, by setting the TRUSTED.

#ifndef CLI$M_TRUSTED
#define CLI$M_TRUSTED 64


bit 6 TRUSTED If this bit is set, it indicates a SPAWN command on behalf of the application. If this bit is not set, it indicates that the SPAWN command originates from user. SPAWN commands originating from users are disallowed in captive accounts (DCL).

Right now, they are trying to figure out how to do that in Perl.
Jan van den Ende
Honored Contributor

Re: How to SPAWN from OpenVMS CAPTIVE account in Perl

Tan,

First, let me join Geni in welcoming you!

And his answer is correct.

The solution would be to change the CAPTIVE flag to RESTRICTED in the user's UAF record.

The confusion is understandable for older software:
The behavior of the Restricted flag used to belong to the CAPTIVE setting. Then (VMS V5 timeframe IIRC) it became desirable to have a MORE restricted set of limitations. As it was contra-intuitive to have CAPTIVE be less severe than the new-to-introduce term RESTRICTED, the behavior of the flag got the new name, and the behavior of CAPTIVE stayed the most limited, but got more constraints added.
But in older software it is not uncommon to find specifications named CAPTIVE while referring to the old captive behavior that should now be rightly termed RESTRICTED.

One more example of the really BAD aspects of re-branding products, functionalities, and whatever. MORE so if the old name lives on in a new meaning.

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Karl Rohwedder
Honored Contributor

Re: How to SPAWN from OpenVMS CAPTIVE account in Perl

Tan,

if really desired, you may try to change the perl source module (should be in VMS.C) to specify the CLI$M_TRUSTED bit, when performing the LIB$SPAWN for the system() call. Then create a special PERL version for those users.

But perhaps specifying restricted instead of captive is enough security.


regards Kalle
Tan Yeok Joo
Occasional Visitor

Re: How to SPAWN from OpenVMS CAPTIVE account in Perl

Thanks everyone,

I have tried to take away the CAPTIVE flag, leaving only the RESTRICTED, I was able to SPAWN out from the Menu through TPU ( as quite a lot of the Menu options are written using TPU and other utilities that could spawn out within the utility itself).

Maybe I didn't describe the senerio well enough. The customer is trying to lock some very powerful accounts with a MENU, but still be able to SPAWN out within the option itself, performing some tasks, and back to the Menu again. But not able to do a "manual spawn" within a utility like TPU.

confused ? me too :-)