HPE Community
Operating System - OpenVMS
1751832 Members
5376 Online
108782 Solutions
New Discussion юеВ

Restricting User to not have access to AUTHORIZE.EXE

 
Petr X
Advisor

тАО08-04-2010 05:39 AM

тАО08-04-2010 05:39 AM

Restricting User to not have access to AUTHORIZE.EXE

Hi,
I'm dealing with current issue.
User has following privileges set:

Authorized Privileges:
SYSPRV,READALL ....
and same for Default privileges.

I'm seeking for a way of how to restrict such user to be able to access AUTHORIZE.EXE image as this privileges are needed for starting up certain app, but user should not be able to access user management tool.

Is there a way of how to manage it, even with SYSPRV privilege ??

I tried it with setting up new IDENTIFIER and restricting this IDENTIFIER from accessing it, but no luck so far ....

cheers & thanks for any response.
0 Kudos
10 REPLIES 10
Jan van den Ende
Honored Contributor

тАО08-04-2010 05:50 AM

тАО08-04-2010 05:50 AM

Re: Restricting User to not have access to AUTHORIZE.EXE

Petr,

you should go the other way around:
Create an identifier, and make allow that identifier all necessary access that is now aquired via SYSPRV.
This goes for all kunds of file access.
Then remove SYSPRV.

What exactly do you mean by "needed for starting up certain app" ?
Can the app be started once by the bootstrap?
If you can tell us exactly what function in starting the app requires SYSPRV, most likely we will be able to guide you along.

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
abrsvc
Respected Contributor

тАО08-04-2010 05:53 AM

тАО08-04-2010 05:53 AM

Re: Restricting User to not have access to AUTHORIZE.EXE

The proces has the privs to avoid any restrictions that you have put into place. I would suggest that you take a different approach and perhaps grant the privs to the application executables rather than to the account. Install the application images with the required privs needed to run. That will grant the privs for the duration of the application only.

Do you have control over the application do do the above?

Dan
0 Kudos
Petr X
Advisor

тАО08-04-2010 06:01 AM

тАО08-04-2010 06:01 AM

Re: Restricting User to not have access to AUTHORIZE.EXE

well, it's a bit complicated;

Let me explain: first the environment is set to start certain app (lot of sub-processes) and currently it's done via user different than SYSTEM, but with already mentioned rights. I'm not allowed to change anything within this user in order to obey contract rulez ....
Customer is now requesting to create same user, who is able to start the app, but not to have access to AUTHORIZE.EXE image, so:

- I can't modify anything for current user ie, privileges, identifiers etc ....
- I think it's not possible to manage this task due to that SYSPRV privilege
-I'm seeking for a way around, if any exists ...?

cheers
0 Kudos
Petr X
Advisor

тАО08-04-2010 06:05 AM

тАО08-04-2010 06:05 AM

Re: Restricting User to not have access to AUTHORIZE.EXE

Yo Dan,
no, unfortunately I'm not allowed to change anything for the user who starts the app. As I wrote before I do have environment set = user has rights mentioned before, I need copy of this user (new user), but even if this user has SYSPRV privilege, it should not be able to access authoirze.exe image.
And the very question is, if this is even possible

cheers
0 Kudos
Jan van den Ende
Honored Contributor

тАО08-04-2010 06:21 AM

тАО08-04-2010 06:21 AM

Re: Restricting User to not have access to AUTHORIZE.EXE

Petr,

>>>
And the very question is, if this is even possible
<<<

Short (and absolute, unchangeable) answer:
NO

Designed to be so starting at VMS 1.0

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Petr X
Advisor

тАО08-04-2010 06:59 AM

тАО08-04-2010 06:59 AM

Re: Restricting User to not have access to AUTHORIZE.EXE

I thought so .....

thanks for your response.

cheers
Petr
0 Kudos
Petr X
Advisor

тАО08-04-2010 07:00 AM

тАО08-04-2010 07:00 AM

Re: Restricting User to not have access to AUTHORIZE.EXE

Question answered.
0 Kudos
Craig A
Valued Contributor

тАО08-04-2010 07:26 AM

тАО08-04-2010 07:26 AM

Re: Restricting User to not have access to AUTHORIZE.EXE

Are we totally sure that SYSPRV holders cannot be restricted to use AUTHORIZE.EXE and, by definition, SYSUAF.DAT?

Off the top of my head:

1. Create UAF$DENY identifier
2. Add hidden ACE TO SYSUAF.DAT:
IDENT=UAF$DENY, ACCESS=NONE
3. Grant UAF$DENY to those users who you do not want to access SYSUAF.DAT

It would be prudent to add in additional security audits to track attempts to circumvent the above.

Unfortunately, I do not have acesss ATM to the system I last set this up for.

HTH

Craig.

0 Kudos
Hoff
Honored Contributor

тАО08-04-2010 08:49 AM

тАО08-04-2010 08:49 AM

Re: Restricting User to not have access to AUTHORIZE.EXE

Privileges are a fundamental access control mechanism of VMS.

There are no privileges and no mechanisms that control the (ALL-class) privileges, and SYSPRV and READALL are ALL-class privileges.

The control mechanism is the privilege.

Reductio ad absurdum.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.