- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Submit
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2008 12:52 AM
тАО12-09-2008 12:52 AM
The user who is submits the job is holding the following privileges :
Authorized Privileges:
CMKRNL GRPNAM NETMBX OPER TMPMBX
Default Privileges:
CMEXEC CMKRNL GRPNAM NETMBX OPER TMPMBX
Whenever I submit the job I receive the following error :
%SUBMIT-F-INVQUAVAL, value 'APB123' invalid for /USER qualifier
-RMS-E-PRV, insufficient privilege or file protection violation
What privilege do I need to set so that the job can be submitted ?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2008 01:03 AM
тАО12-09-2008 01:03 AM
Re: Submit
you (also) need to be able to READ the autorisation file.
SYSPRV is one way to achieve that.
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2008 01:23 AM
тАО12-09-2008 01:23 AM
Re: Submit
But,the user is an operator,SYSPRIV would not get approved.
Any other way ?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2008 02:43 AM
тАО12-09-2008 02:43 AM
Re: Submit
Requires CMKRNL (change mode to kernel) privilege and read (R)
and write (W) access to the user authorization file (UAF).
If you can do a submit/user=privileged_user, then why not submit a .com file doing
$ mc authorize copy system xxx/pass=yyy
Doing this is the same as giving full privileges.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2008 02:45 AM
тАО12-09-2008 02:45 AM
Re: Submit
"SYSPRV" would not be approved"
But if a user has CMEXEC CMKRNL, then he can always get SYSPRV with a little programming.
So what kind of security policy is this ? Ignorant ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2008 02:45 AM
тАО12-09-2008 02:45 AM
Solutionwell, _SYSPRV_ would not be approved for users that have _CMKRNL_ ??
That is like a bow-and-arrow are considered too dangerous for someone who usually only carries an AK47....
But, since you are su=tuck with this, you could also set an ACL on SYSUAF that grants READ access to the operator(s).
hth
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2008 04:08 AM
тАО12-09-2008 04:08 AM
Re: Submit
Note: As Labadie has noted, the HELP text indicates that Read AND Write Access are needed to the UAF.
The policy that operators do not have SYSPRV is all well and good, BUT giving them Write access to the UAF is "SYSPRV in one extra step" (A reference to chess terminology is appropriate: "Mate in one").
There are several better options for implementing this:
- set up a captive account that can be logged in and submit the job.
- use a daemon process/batch job that executes on a regular basis and checks for the presence of a work request in a file.
- (more complex) create an image that only is able to submit that task, and install that image with CMKRNL. Protect that image with an ACL, and have it automatically log its use to the audit and accounting files.
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2008 04:46 AM
тАО12-09-2008 04:46 AM
Re: Submit
SUBMIT/HOLD the job from a privileged account once.
Insert a resubmit itself as the first action of the job.
Then let the operator SET ENTRY/RELEASE the job when needed. (set the necessary protection on the job or queue, by default OPERATOR privilege allows it.)
If the operator is not skilled enough to find the entry number, put the /release command into another command-file, which searches for the particular job/entry number first.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2008 04:51 AM
тАО12-09-2008 04:51 AM
Re: Submit
int sys$setprv(), sys$cmexec();
main(int argc, char *argv[]) {
__int64 privs = 1 << 28;
int args[] = { 4, 1, (int) &privs , 1, 0 };
return sys$cmexec (&sys$setprv, args);
}
No C compiler on the production box?
$create tmp.mar
.entry start, 0
callg args1, g^sys$cmexec
ret
.psect data,noexe
args1: .long 2, sys$setprv, args2
args2: .long 4, 1, privs, 1, 0
privs: .long 1@28, 0
.end start
$macro tmp
$link tmp
$run tmp
$delete tmp.*;
Best regards,
Hein.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-09-2008 05:06 AM
тАО12-09-2008 05:06 AM
Re: Submit
if You need more than a few specific privileged jobs to be executed from a less privileged operator, You could setup a privileged "worker" job, doing:
1.create a system-/cluster-wide mailbox, where it receives commands from operators/users.
2.loop on reading commands from the mailbox.
3. verify/dispatch/execute the actions requested in the message.
Since mailboxes allow to get also the sender identification, all kind of protection can be established here.
(3a. notify the sender about success/error)
4. loop at 2.
(Almost) all this can be programmed in DCL.