I wrote a little dcl procedure that turned on/off different privs and tried to ping with different privs. Here are the results.
Default privs are...
acnt,cmexec,cmkrnl,group,grpnam,grpprv,tmpmbx,netmbx,prmmbx -
,oper,phy_io
It works with Bypass, Sysnam, and Sysprv. So, Bypass and Sysprv are no surprises, but Sysnam might be telling us that it's failing trying to insert or delete a record into the system logical name table. Does Ping and/or SFTP try to insert or delete entries into the logical name table?
Bingo!!!!
I searched the logical name table to an output file. Then I issued a ping command and listed the contents of the logical name table again while the ping was running and diff'd the system logical name table.
$ show log/table=LNM$SYSTEM_TABLE/out=temp.log
$ show log/table=LNM$SYSTEM_TABLE/out=temp.log
$ diff temp.log
************
File SYS$SYSROOT:[SYSMGR]TEMP.LOG;12
101 "DCL$ATTACH_205ED90E" = "MBA14833:"
102 "DCXSHR_TV" = "DCXSHR"
******
File SYS$SYSROOT:[SYSMGR]TEMP.LOG;11
101 "DCXSHR_TV" = "DCXSHR"
************
Number of difference sections found: 1
Number of difference records found: 1
Ok, so, just to make sure, the process ID for the new logical value does reference the process I was issuing the ping command from.
2-OCT-2008 11:45:09.52 User: SYS_CALHOUN Process ID: 205ED90E
This would probably explain why we were not seeing any audit alarms because I dont think we were watching failures to the logical name table.
I checked the security on the LNT and it looks the same on the systems where it works and those that don├в t.
$ show sec/object=logical_name_table lnm$system_table
LNM$SYSTEM_TABLE object of class LOGICAL_NAME_TABLE
Owner: [SYSTEM_GROUP,SYSTEM]
Protection: (System: RWC, Owner: RWC, Group: R, World: R)
Access Control List:
Now, this reminded me of something the developers had me put in place for one of their Apache processes to work.
$ define/super/table=LNM$SYSTEM_DIRECTORY LNM$TEMPORARY_MAILBOX LNM$SYSTEM
Yes, this is exactly the problem. Because we have a logical defined that points any temporary mailbox logical names into the system logical name table, non privileged users without sysnam fail to successfully issue ping or sftp commands.
Ok, lets look at our options then.
We put this in place so that processes generated by connections to the Apache Web Server could create mailboxes that could also be seen by processes running under a different UIC Group. (please understand Im pulling this from memory when we implemented it several years ago).
CHARLIE CALHOUN APACHE$WWW [373,1] AP_HTTPD All 4 APACHE$ROOT:[000000]
CLIENT LOGIN ACCNT ICS_LOGIN [400,2] ECP All 5 $1$DGA89:[ECP.LIVE.ACS.LOGIN]
So, I know I have a few options.
1. Change the logical back to the way it was. But, this will break our Apache processes. Not really an option.
2. Grant the accounts that need to run sftp SYSNAM. This would probably be acceptable, but not preferred for security.
3. Grant a new identifier to the accounts that use sftp and add a write ACE with that identifier to the system logical name table.
4. Define LNM$TEMPORARY_MAILBOX to point to a different logical name table and configure security so that both UIC groups have write access to that table. This would require us to test our software again.
I implemented option 2 in the short term but I'm going to go with option 3 as a long term solution and document why there is an ACL on the System Logical Name Table in case I die or something.
Thanks for all the help from everyone and sorry for taking so long to get my resolution posted back to the thread.
