- Community Home
- >
- Servers and Operating Systems
- >
- Operating System - OpenVMS
- >
- Privileges needed for DCL SPAWN command?
-
-
Categories
- Topics
- Hybrid IT with Cloud
- Mobile & IoT
- IT for Data & Analytics
- Transformation
- Strategy and Technology
- Products
- Cloud
- Integrated Systems
- Networking
- Servers and Operating Systems
- Services
- Storage
- Company
- Events
- Partner Solutions and Certifications
- Welcome
- Welcome
- Announcements
- Tips and Tricks
- Feedback
-
Blogs
- Alliances
- Around the Storage Block
- Behind the scenes @ Labs
- Converged Data Center Infrastructure
- Digital Transformation
- Grounded in the Cloud
- HPE Careers
- HPE Storage Tech Insiders
- Infrastructure Insights
- Inspiring Progress
- Internet of Things (IoT)
- My Learning Certification
- Networking
- OEM Solutions
- Servers: The Right Compute
- Telecom IQ
- Transforming IT
-
Quick Links
- Community
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Contact
- Email us
- Tell us what you think
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Enterprise.nxt
- Marketplace
- Aruba Airheads Community
-
Categories
-
Forums
-
Blogs
-
InformationEnglish
Privileges needed for DCL SPAWN command?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
07-26-2010 09:08 AM
07-26-2010 09:08 AM
Privileges needed for DCL SPAWN command?
Privileges needed for DCL SPAWN command?
Username: TEST Owner: VMS Account for testing
Account: UIC: [201,1] ([TEST_USERS,TEST])
CLI: DCL Tables: DCLTABLES
Default: USER_ROOT:[TEST_Users.test]
LGICMD:
Flags: PwdMix
Primary days: Mon Tue Wed Thu Fri
Secondary days: Sat Sun
No access restrictions
Expiration: (none) Pwdminimum: 6 Login Fails: 0
Pwdlifetime: (none) Pwdchange: (pre-expired)
Last Login: 26-JUL-2010 12:14 (interactive), 23-JUL-2010 16:03 (non-interactive)
Maxjobs: 0 Fillm: 128 Bytlm: 800000
Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0
Maxdetach: 0 BIOlm: 1000 JTquota: 8192
Prclm: 20 DIOlm: 1000 WSdef: 4096
Prio: 4 ASTlm: 300 WSquo: 8192
Queprio: 4 TQElm: 100 WSextent: 16384
CPU: (none) Enqlm: 4000 Pgflquo: 2000000
Authorized Privileges:
NETMBX TMPMBX
Default Privileges:
NETMBX TMPMBX
Identifier Value Attributes
IQWARE_USER %X80010014
When I login using this user's account, I get the following error message when attempting to use the DCL SPAWN command in its simplest form:
$ set host 0
Welcome to IQware's ES45 Development System #1 OpenVMS (TM) Alpha Operating System, Version V8.3
Username: TEST
Password:
Welcome to OpenVMS (TM) Alpha Operating System, Version V8.3 on node IQDEV1
Last interactive login on Monday, 26-JUL-2010 12:31:28.96
Last non-interactive login on Friday, 23-JUL-2010 16:03:20.44
1 failure since last successful login
$ SPAWN
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
$ logout
TEST logged out at 26-JUL-2010 13:01:21.79
%REM-S-END, control returned to node LOCAL:.IQDEV1::
Is there a new privilege needed for a process to use the SPAWN command?
Thanks in advance for any wisdom,
Eric
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
07-26-2010 09:20 AM
07-26-2010 09:20 AM
Re: Privileges needed for DCL SPAWN command?
Re: Privileges needed for DCL SPAWN command?
> special privilege to use the DCL SPAWN
> command.
That may be because none is needed.
alp $ show proc /priv
26-JUL-2010 12:13:43.25 User: SMS Process ID: 20208D7F
Node: ALP Process name: "SMS_1618"
Authorized privileges:
NETMBX TMPMBX
Process privileges:
NETMBX may create network device
TMPMBX may create temporary mailbox
[...]
alp $ spawn
%DCL-S-SPAWNED, process SMS_12749 spawned
%DCL-S-ATTACHED, terminal now attached to process SMS_12749
> $ SPAWN
show symbol spawn
> Is there a new privilege needed [...]
Define "new".
alp $ write sys$output f$getsyi( "version")
V8.3
I know nothing, but I can imagine that the
protections could have been damaged on some
program or other file, or that something
which needs to be INSTALLed with privileges
wasn't.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
07-26-2010 09:25 AM
07-26-2010 09:25 AM
Re: Privileges needed for DCL SPAWN command?
Re: Privileges needed for DCL SPAWN command?
The important controls for 'spawn' are the CAPTIVE and RESTRICTED flags in the authorization record. Neither is in play it seems.
And one needs TMPMBX, which is there in authorize. Is it still there after (sy)login?
Do a SHOW PROC/PRIV !?
Is the SPAWN command clean?
No symbol defined for it?
My WAG is a bad definition for the logical name: LNM$TEMPORARY_MAILBOX
See: http://h71000.www7.hp.com/doc/84final/4527/4527pro_024.html#jun_143
If the problem persists, then it would not hurt to check the LIB$SPAWN doc for clues:
http://h71000.www7.hp.com/doc/82final/5932/5932pro_045.html#spawn
And I'd use SET WATCH /CLA=MAJOR to see if the spawn is trying to touch a file it can not.... but that needs CMKRNL.
hth,
Hein
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
07-26-2010 02:05 PM
07-26-2010 02:05 PM
Re: Privileges needed for DCL SPAWN command?
Re: Privileges needed for DCL SPAWN command?
You should only need TMPMBX to create the temporary mailbox your process uses to talk to the subprocess, but check:
$ show log/table=*directory* lnm$temp*
The default is:
(LNM$SYSTEM_DIRECTORY)
"LNM$TEMPORARY_MAILBOX" = "LNM$JOB"
but if redefined anywhere else, you will need privilege to write into the target logical name table. You can force it back with:
$ DEFINE/TABLE=LNM$PROCESS_DIRECTORY LNM$TEMPORARY_MAILBOX LNM$JOB
If that doesn't help, use auditing.
$ REPLY/ENABLE=SECURITY
$ SET AUDIT/ALARM /ENABLE=PRIVILEGE=FAILURE=ALL
Warning - this might be noisy. Maybe have a disable command typed and ready to hit ENTER on another terminal:
$ SET AUDIT/ALARM /DISABLE=PRIVILEGE=FAILURE=ALL
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
07-28-2010 12:57 PM
07-28-2010 12:57 PM
Re: Privileges needed for DCL SPAWN command?
Re: Privileges needed for DCL SPAWN command?
Thanks for the clues!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
07-28-2010 12:58 PM
07-28-2010 12:58 PM
Re: Privileges needed for DCL SPAWN command?
Re: Privileges needed for DCL SPAWN command?
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2018 Hewlett Packard Enterprise Development LP