HPE Community
Operating System - OpenVMS
1753792 Members
7281 Online
108799 Solutions
New Discussion юеВ

Re: Spawn

 
SOLVED
Go to solution
Petran Bisschops
Advisor

тАО11-15-2005 09:28 PM

тАО11-15-2005 09:28 PM

Spawn

Hi,

I have installed the same project with the same settings (software/uic/uaf accounts etc) on 5 different machines. On one machine, a SPAWN command for a user account with only NETMBX and TMPMBX does not work e.g. give the error message:

%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation

The account has PRCLM set to 10 in UAF and no further UAF settings that could cause problems - as far as I can see.

Can anybody tell me which other parameter could possibly cause this protection violation?

Your help is much appreciated.

Petran.
0 Kudos
Reply
20 REPLIES 20
Wim Van den Wyngaert
Honored Contributor

тАО11-15-2005 09:37 PM

тАО11-15-2005 09:37 PM

Re: Spawn

(enable audit if needed and) do anal/aud to see what is the problem.

Wim
Wim
0 Kudos
Reply
Mike Reznak
Trusted Contributor

тАО11-15-2005 10:25 PM

тАО11-15-2005 10:25 PM

Re: Spawn

Hi,

also MAXACCTJOBS, MAXDETACH, MAXJOBS matters. But -F-NOPRIV messages don't seem to point to this issue.

Mike
...and I think to myself, what a wonderful world ;o)
0 Kudos
Reply
Jan van den Ende
Honored Contributor

тАО11-15-2005 11:12 PM

тАО11-15-2005 11:12 PM

Re: Spawn

Petran,

this can (but needs not be) caused by the setting of SYSGEN param SECURITY_POLICY.

Compare the values on the different machines, and if they are not equal, do a SYSGEN HELP SYS_PAR SECURITY to find out about the various possibilities.

Again, this could be the issue, but it is not sure.

hth,

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
Petran Bisschops
Advisor

тАО11-16-2005 12:02 AM

тАО11-16-2005 12:02 AM

Re: Spawn

Hi,

Thanks for your replies so far.

Mike,
MAXACCTJOBS, MAXDETACH, MAXJOBS are all 0 on all configurations so that should not be causing the trouble.

Jan,
The SYSGEN param SECURITY_POLICY is set to 7 on all configurations. As far as I can judge only bit 6 to allow SPAWN in CAPTIVE accounts matter but we don't have the captive flag set so this should not be causing trouble.

I will try to see if I can get any info via audit as Wim suggested but I have to figure out how this works first....

So in the mean time, I am still open for any suggestions.

Thanks,

Petran.
0 Kudos
Reply
Mike Reznak
Trusted Contributor

тАО11-16-2005 12:27 AM

тАО11-16-2005 12:27 AM

Re: Spawn

For Audit:

$ SHOW AUDIT shows you, what audits and alarms are set.

for tracing the problem like this is good to have Alarms enabled. Then after you enable opcom security messages $ REPLY/ENABLE=SECURITY you will se the messages on the terminal screen. But do not use alarms, when you create hundreds of subprocesses in a minute. Then its better to anable audits and analyze audit file afterwards.
To enable Alarm for subprocesses.
$ SET AUDIT/ALARM/ENABLE=(LOGIN=SUBPROCESS,LOGFAILURE=SUBPROCESS)
To enable Audit for subprocesses.
$ SET AUDIT/AUDIT/ENABLE=(LOGIN=SUBPROCESS,LOGFAILURE=SUBPROCESS)

to disable it use /DISABLE= instead of /ENABLE=

Mike
...and I think to myself, what a wonderful world ;o)
0 Kudos
Reply
Petran Bisschops
Advisor

тАО11-16-2005 12:48 AM

тАО11-16-2005 12:48 AM

Re: Spawn

Hi,

Mike, I used the audit commands as you suggested but it does not generate an event if I try a spawn.

I did find out that if I give the account SYSPRV, the spawn command works....

Are there any access restrictions to the executable implementing the $SPAWN command?

Thanks,

Petran.
0 Kudos
Reply
Uwe Zessin
Honored Contributor

тАО11-16-2005 12:48 AM

тАО11-16-2005 12:48 AM

Re: Spawn

What I have seen in the past was some very concerned system manager, who thought it was a good idea to remove read-access from files like F11BXQP.EXE.
.
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

тАО11-16-2005 03:19 AM

тАО11-16-2005 03:19 AM

Re: Spawn

Petran,

I guess your spawn failed before it was created. You should audit your file operations :
$ set audit/audit/enable=(access=failure:(read,write,execute,delete,control))

If checked all accesses done by spawn :
(with userid of spawner)
RE on loginout.exe
RE on dcl.exe
RE on dcltables.exe
RE on cliutlmsg.exe

Wim
Wim
0 Kudos
Reply
John Gillings
Honored Contributor

тАО11-16-2005 12:37 PM

тАО11-16-2005 12:37 PM

Re: Spawn

Petran,
(WARNING - be careful doing this on a busy system, you could get a whole lot of output!)

Try this, make sure you have plenty of scroll back on your terminal:

$ REPLY/ENABLE=SECURITY
$ SET AUDIT/ALARM/ENABLE=PRIVILEGE=FAILURE=ALL

Now try your unprivileged SPAWN.

Afterwards issue:

$ SET AUDIT/ALARM/DISABLE=PRIVILEGE=FAILURE=ALL

to stop the noise.

If that doesn't help, then try

$ REPLY/ENABLE=SECURITY
$ SET AUDIT/ALARM/ENABLE=PRIVILEGE=SUCCESS=ALL

now issue your SPAWN from the SYSPRV account and see what SYSPRV is used for. It should also tell you if the NOPRIV is from the parent or the subprocess.

Don't forget

$ SET AUDIT/ALARM/DISABLE=PRIVILEGE=SUCCESS=ALL

to quiet things down.
A crucible of informative mistakes
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.