- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Is SYSNAM privilege really needed for MAIL SET...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-14-2009 01:29 AM
тАО07-14-2009 01:29 AM
Plain question:
Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?
We tested and it seems that SYSPRV and OPER are already enough. But when I do this:
MAIL> help set forward /user
SET-SHOW
FORWARD
/USER
/USER=user-name
Indicates the name of another user for whom you are setting or
showing a forwarding address. You can use the /USER qualifier
only if you have SYSNAM privilege. With the SHOW FORWARD command,
there are two ways to show a user's forwarding address: you can
specify the user name or you can use the wildcard characters (*
or %) to search for names with a particular string in common.
.... this suggests that SYSNAM *IS* needed.
What do you think?
Thks in advance.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-14-2009 01:47 AM
тАО07-14-2009 01:47 AM
Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?
http://h71000.www7.hp.com/doc/82final/aa-pv5mj-tk/aa-pv5mj-tk.html
so I guess the intention is that SYSNAM is required.
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-14-2009 03:44 AM
тАО07-14-2009 03:44 AM
Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?
SYSPRV is sufficient (I ran a test case on one of my OpenVMS VAX 6.2 systems).
I note that the HELP text for ASSIGN/SYSTEM is more forthcoming, in that it states that it "requires SYSNAM (system logical name) OR [emphasis mine] SYSPRV (system privilege) privilege".
I would therefore conclude that you have a reportable documentation erratum.
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-14-2009 04:14 AM
тАО07-14-2009 04:14 AM
SolutionSYSPRV provides SYSNAM access based on the typical protection model in place on the logical name table.
What's your real question, rather than your "plain question"? No offense intended here, but you're not telling _why_ you're asking this, and that detail can be as important as question and the literal answer to the question; it allows us to target the answer.
As for the "plain question", the privilege model on OpenVMS is a little complex, and there is very often more than one combination of privileges that can authorize the desired operation.
And depending on what you're up to (which is why I ask why), it's entirely feasible to toss forwarding entries into a database (without requiring the caller have privileges) with an installed executable image as MAIL has a documented API. That interface is trivial to use, and I've posted examples of calling the API (though not specifically the forwarding entry points) at:
http://labs.hoffmanlabs.com/node/744
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-14-2009 04:33 AM
тАО07-14-2009 04:33 AM
Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?
The underlying problem is that we want to grant the task of adding and modifying UAF accounts (including MAIL SET FORWARD setting) to a non-SYSTEM user, and so we want to give this user the minimal set of privileges to do this. Obvious SYSPRV is necessary toadd/modify UAF accounts, but we were not sure abount SYSNAM.
Now, the Guide to system security says also (appendix A):
The SYSPRV privilege also lets a process perform the following tasks: Task Interface
Modify a file's expiration date SET FILE/EXPIRATION
Modify the number of interlocked queue retries $QIO request to an Ethernet 802 driver (DEBNA/NI)
Set the spin-wait time on the port command register $QIO request to an Ethernet 802 driver (DEBNA)
Set the FROM field in a mail message MAIL routines
Access a MAIL maintenance record MAIL
Modify or delete a MAIL database record MAIL
Modify the group number and password of a local area cluster CLUSTER_AUTHORIZE component of SYSMAN
Perform transaction recovery, join a transaction as coordinator, transition a transaction DECdtm software
But nevertheless, I believe that you are tight: SYSPRV implies SYSNAM in the case of default protection mask of the system logical name table.
So, the sentence "You can use the /USER qualifier only if you have SYSNAM privilege." should be interpreted: "You can use the /USER qualifier only if you have SYSNAM privilege or the SYSPRV privilege."
Thanks for your reply. It is clear now. Jan.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-14-2009 05:18 AM
тАО07-14-2009 05:18 AM
Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?
Use a CAPTIVE login procedure, and manage your OpenVMS environment from that environment. Or use a DECnet task-to-task approach (DCL or otherwise), and have the server end of the connection running with the necessary privileges. Either avoids issuing privileges (directly) to end-users.
Here are some high-level discussions on this general topic:
http://labs.hoffmanlabs.com/node/491
http://labs.hoffmanlabs.com/node/955
I included a chapter on this topic in the 2nd edition of the Writing Real Programs book, if you can locate a copy of that book.
SYSNAM is among the ALL-class privileges, and it's trivial to gain any (other) OpenVMS privilege should you be granted SYSNAM privilege. Differentiating users with SYSPRV or with SYSNAM isn't worth any particular effort.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-14-2009 07:13 AM
тАО07-14-2009 07:13 AM
Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?
fyi, MAIL SET FORWARD has NOTHING to do with UAF accounts. It only concerns itself with SYS$SYSTEM:VMSMAIL_PROFILE.DATA.
Entries may or might not correspond with SYSUAF entries. Often they do of course.
>> to a non-SYSTEM user, and so we want to give this user the minimal set of privileges to do this. Obvious SYSPRV is necessary toadd/modify UAF accounts,
That's NOT obvious to me.
Obviously write access to SYSUAF.DAT / VMSMAIL_PROFILE.DATA is needed. One way to accomplish that is to have SYSPRV.
But ACL's can provide a fine alternative.
Now if you give someone uncontrolled write access to SYSUAF, then you have effectively given that person SETPRV / SYSPRV and it woudl be clearer to just give that, callign a spade a spade.
But for OpenVMS Email forwarding maintenance just allowing access through an ACE probably works fine and is not too risky. (IMHO of course)
fwiw,
Hein.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-14-2009 07:20 AM
тАО07-14-2009 07:20 AM
Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?
if you don't want direct system access maybe consider the openvms management station :-
http://h71000.www7.hp.com/openvms/products/argus/
hth
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-14-2009 07:41 AM
тАО07-14-2009 07:41 AM
Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-14-2009 07:10 PM
тАО07-14-2009 07:10 PM
Re: Is SYSNAM privilege really needed for MAIL SET FORWARD /USER ?
Steve