- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: insuffcient priviledge or object protection vi...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-02-2008 05:05 AM
тАО04-02-2008 05:05 AM
insuffcient priviledge or object protection violation
We set up several low privileged accounts that cannot start an application. The default and authorized priviledges are NETMBX and TMPMBX
All higher privileged users can start this application no problem. Since they were setup with ALL Authorized and Default privilidges.
This application must access images. One of the live images is called CNTSEC.EXE. (developed in-house).
The installable images command procedure has the following:
$install ADD mdtsys:[exe]cntsec.exe /open/share/write/priv
$DEFINE/USER/SUPER/EXEC/SYSTEM CNTSEC mdtsys:[exe]CNTSEC.exe
I am questioning the /priv switch. maybe this is the problem?
When the low privileged user attempts to run the application, he sees the following:
$stat <-- symbol defined to start application
%DCL-W-ACTIMAGE, error activating image CNTSEC
-CLI-E-IMGNAME, image file DSA20:[mdtsys.] [exe] CNTSEC
-SYSTEM-F-NOPRIV, insuffcient priviledge or object protection violation.
When I do the following :
$dir cntsec.exe /security
The response is CNTSEC.EXE (RWED, RWED, RE,)
I hope this is enough to maybe jog someone memory about this issue?
Any help would be appreciated, Thnank you!
Phil Tusa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-02-2008 06:01 AM
тАО04-02-2008 06:01 AM
Re: insuffcient priviledge or object protection violation
Your image has no world access listed. Group access is limited to Read and Execute access, and a key part of the DIRECTORY /SECURITY output that's omitted here is the owner UIC. The Owner UIC for the object (the image file, here) controls which users match the Owner and Group fields within the System - Owner - Group - World protection mask. If this is the trigger (and the ownership of the object does not line up with the UIC of the accessor), then SET PROTECTION=W:RE mdtsys:[exe]CNTSEC.exe might help, or (more targeted) adding an ACL.
If you're familiar with the Unix chown and chmod, it's the same idea. The difference is that Unix lets you set the equivalent of the group, and OpenVMS does not. Within OpenVMS, the group assigned within the UIC value assigned to the user within OpenVMS.
When chasing these NOPRIV errors in general, you can spend your time looking at the various factors, or you can enable the OpenVMS security alarms for file access failures (via SET AUDIT /ALARM /ENABLE... and REPLY /ENABLE=SECURITY; these commands require privileges), then attempt the (failing) file access, and OpenVMS security will tell you what failed; it uses logging built into the OpenVMS NOPRIV processing.
This approach assumes the access failure was generated by an OpenVMS access check, and not by something in the application. You may need to repeat the access, as it is possible to have several protection masks (on files and directories involved) each block access, for instance.
I would encourage a quick skim of the Security Manual, as this will explain terms and concepts, and it'll provide information on ACEs and ACLs, and on Subsystem Identifiers (which can be very handy when working with images that need controlled access), and for information on using security auditing and security alarms. This manual is located in the OpenVMS shelf at:
http://www.hp.com/go/openvms/doc
Stephen Hoffman
HoffmanLabs LLC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-02-2008 06:20 AM
тАО04-02-2008 06:20 AM
Re: insuffcient priviledge or object protection violation
$ REPLY/ENABLE=SECURITY
$ SET AUDIT/ALARM/ENABLE=FILE=FAIL=ALL
and throw again your command, and post the output here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-02-2008 06:31 AM
тАО04-02-2008 06:31 AM
Re: insuffcient priviledge or object protection violation
$DEFINE/USER/SUPER/EXEC/SYSTEM CNTSEC mdtsys:[exe]CNTSEC.exe
A shorter version is
$DEFINE/EXEC/SYSTEM CNTSEC mdtsys:[exe]CNTSEC.exe
As your define will be in supervisor mode or executive mode or user mode, but not all.
:-)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-02-2008 09:53 AM
тАО04-02-2008 09:53 AM
Re: insuffcient priviledge or object protection violation
To confirm Hoff's diagnosis (which I would tend to agree with), perhaps supply us with the DIRECTORY/OWNER results for the file and the group number that you assigned the underprivileged users to.
For future reference, the Guide to System Security (available on http://www.hp.com/go/openvms ) contains a flowchart of access checking.
- Bob Gezelter, http://www.rlgsc.com