- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Restricting User to not have access to AUTHORI...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2010 05:39 AM
тАО08-04-2010 05:39 AM
Restricting User to not have access to AUTHORIZE.EXE
I'm dealing with current issue.
User has following privileges set:
Authorized Privileges:
SYSPRV,READALL ....
and same for Default privileges.
I'm seeking for a way of how to restrict such user to be able to access AUTHORIZE.EXE image as this privileges are needed for starting up certain app, but user should not be able to access user management tool.
Is there a way of how to manage it, even with SYSPRV privilege ??
I tried it with setting up new IDENTIFIER and restricting this IDENTIFIER from accessing it, but no luck so far ....
cheers & thanks for any response.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2010 05:50 AM
тАО08-04-2010 05:50 AM
Re: Restricting User to not have access to AUTHORIZE.EXE
you should go the other way around:
Create an identifier, and make allow that identifier all necessary access that is now aquired via SYSPRV.
This goes for all kunds of file access.
Then remove SYSPRV.
What exactly do you mean by "needed for starting up certain app" ?
Can the app be started once by the bootstrap?
If you can tell us exactly what function in starting the app requires SYSPRV, most likely we will be able to guide you along.
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2010 05:53 AM
тАО08-04-2010 05:53 AM
Re: Restricting User to not have access to AUTHORIZE.EXE
Do you have control over the application do do the above?
Dan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2010 06:01 AM
тАО08-04-2010 06:01 AM
Re: Restricting User to not have access to AUTHORIZE.EXE
Let me explain: first the environment is set to start certain app (lot of sub-processes) and currently it's done via user different than SYSTEM, but with already mentioned rights. I'm not allowed to change anything within this user in order to obey contract rulez ....
Customer is now requesting to create same user, who is able to start the app, but not to have access to AUTHORIZE.EXE image, so:
- I can't modify anything for current user ie, privileges, identifiers etc ....
- I think it's not possible to manage this task due to that SYSPRV privilege
-I'm seeking for a way around, if any exists ...?
cheers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2010 06:05 AM
тАО08-04-2010 06:05 AM
Re: Restricting User to not have access to AUTHORIZE.EXE
no, unfortunately I'm not allowed to change anything for the user who starts the app. As I wrote before I do have environment set = user has rights mentioned before, I need copy of this user (new user), but even if this user has SYSPRV privilege, it should not be able to access authoirze.exe image.
And the very question is, if this is even possible
cheers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2010 06:21 AM
тАО08-04-2010 06:21 AM
Re: Restricting User to not have access to AUTHORIZE.EXE
>>>
And the very question is, if this is even possible
<<<
Short (and absolute, unchangeable) answer:
NO
Designed to be so starting at VMS 1.0
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2010 06:59 AM
тАО08-04-2010 06:59 AM
Re: Restricting User to not have access to AUTHORIZE.EXE
thanks for your response.
cheers
Petr
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2010 07:00 AM
тАО08-04-2010 07:00 AM
Re: Restricting User to not have access to AUTHORIZE.EXE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2010 07:26 AM
тАО08-04-2010 07:26 AM
Re: Restricting User to not have access to AUTHORIZE.EXE
Off the top of my head:
1. Create UAF$DENY identifier
2. Add hidden ACE TO SYSUAF.DAT:
IDENT=UAF$DENY, ACCESS=NONE
3. Grant UAF$DENY to those users who you do not want to access SYSUAF.DAT
It would be prudent to add in additional security audits to track attempts to circumvent the above.
Unfortunately, I do not have acesss ATM to the system I last set this up for.
HTH
Craig.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-04-2010 08:49 AM
тАО08-04-2010 08:49 AM
Re: Restricting User to not have access to AUTHORIZE.EXE
There are no privileges and no mechanisms that control the (ALL-class) privileges, and SYSPRV and READALL are ALL-class privileges.
The control mechanism is the privilege.
Reductio ad absurdum.