- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: System security
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-30-2009 10:06 PM
тАО11-30-2009 10:06 PM
I need to set delete permission for test user who belongs to group [200,*].There are four test users in [200,*] group test,test1,test2 & test3.There is file SYS$SYSROOT:[SYSMGR]apps.com and permission is as below
$ dir/sec SYS$SYSROOT:[SYSMGR]apps.com
Directory SYS$SYSROOT:[SYSMGR]
apps.com;1 [SYSTEM] (RWED,RWED,RWED,RWE)
Now i need to set Delete permission for the user test but not for all the group so for that i used ACL but still i am unable to delete apps.com file.
$set security/acl=(identifier=[test],access=read+write+execute+delete] apps.com
When i logged in as test user and tried to delete the file its throwing errro "insufficient privilege".
Could you please suggest me if i need to use any ACL qualifier.
Regards,
Sumant
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-30-2009 10:21 PM
тАО11-30-2009 10:21 PM
Re: System security
a new "dire /secu" command. Also, the actual
"delete" command (and its actual error
message).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-30-2009 10:52 PM
тАО11-30-2009 10:52 PM
Re: System security
DELETE
file
Deletes one or more files from a mass storage disk volume.
Requires delete (D) access to the file and write (W) access to
the parent directory. If the target file is itself a directory,
the directory must be empty.
[...]
Write access to the file's parent directory?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-30-2009 10:57 PM
тАО11-30-2009 10:57 PM
SolutionIf what you are showing us is actual output, that file will be
sys$specifiec:[000000]sysmgr.dir
or to determine absolute path:
$ TOPSYS = F$TRNLNM("SYS$TOPSYS")
$ DIR/SEC SYS$SYSDEVICE:['TOPSYS']SYSMGR.DIR
I would recommend moving APPS.COM out of SYS$MANAGER. In general it is best not to hand out write access to this directory.
See the guide to system security - chapter 8.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-01-2009 12:55 AM
тАО12-01-2009 12:55 AM
Re: System security
As has been noted, access to the directory is required so that the file's directory entry can be removed.
Please note that this is a good reason to move such files out of the SYS$SYSROOT:[SYSMGR] directory. Giving a user sufficient access to manipulate this file ALSO gives them sufficient privilege to disrupt that directory.
Since that directory is critical to system operation, I would strongly counsel movbing that file to a different directory. This prevents accidental collateral damage.
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-01-2009 05:54 AM
тАО12-01-2009 05:54 AM
Re: System security
Here's a short write-up on how to set up a resource identifier and the related security and (if needed) disk quotas for a shared project directory:
http://labs.hoffmanlabs.com/node/1450
This example shows delete access for the resource identifier. In your specific case, you'd likely look to remove that access from both the default protection ACE and the protection ACE, and to add a parallel default protection ACE and protection ACE for the specific user (or probably better, for a user with a specific identifier) that allowed delete access. These two ACEs almost exactly parallel the ACEs shown in the cited example, though would be for, say, FOO_MANAGE identifier.
OpenVMS resource identifiers differ from standard security identifiers in the assignment of ownership and the ability to associate (if needed) a disk quota entry with identifier.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-01-2009 12:45 PM
тАО12-01-2009 12:45 PM
Re: System security
To diagnose any file manipulation command which fails with "insufficient privilege",
open a new window and enable it as a security operator console (needs OPER and SECURITY privilege)
$ REPLY/ENABLE=SECURITY
Now enable audit alarms of file access failures:
(needs SECURITY privilege)
$ SET AUDIT/ALARM=ENABLE=FILE=FAIL=ALL
Now repeat your failing command.
This should generate an audit alarm telling you exactly which file is failing, what type of access has been requested, and why it's failing. It's often not the file you think it is.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-01-2009 11:47 PM
тАО12-01-2009 11:47 PM
Re: System security
Directory SYS$SYSROOT:[SYSMGR]
Apps.com;1 [SYSTEM] (RWED,RWED,RWED,RWE)
(IDENTIFIER=[TEST],ACCESS=READ+WRITE+EXECUTE+DELETE)
Regards,
Sumant
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-02-2009 12:54 AM
тАО12-02-2009 12:54 AM
Re: System security
Apps.com;1 [SYSTEM] (RWED,RWED,RWED,RWE)
has WORLD WRITE access!
I hope this is not the default protection of the owner SYSTEM !
Check with SHOW PROTECTION.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-02-2009 01:26 AM
тАО12-02-2009 01:26 AM
Re: System security
$ dir apps.com/sec
Directory SYS$SYSROOT:[SYSMGR]
APPS.COM;1 [SYSTEM] (RWED,RWED,RWED,RE)
(IDENTIFIER=[TEST],ACCESS=READ+WRITE+EXECUTE+DELETE)
Regards,
Sumant