HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

insuffcient priviledge or object protection violation

 
Phillip Tusa
Advisor

insuffcient priviledge or object protection violation

We are currently running I-64 with openVMS V8.2-1.

We set up several low privileged accounts that cannot start an application. The default and authorized priviledges are NETMBX and TMPMBX

All higher privileged users can start this application no problem. Since they were setup with ALL Authorized and Default privilidges.

This application must access images. One of the live images is called CNTSEC.EXE. (developed in-house).

The installable images command procedure has the following:

$install ADD mdtsys:[exe]cntsec.exe /open/share/write/priv

$DEFINE/USER/SUPER/EXEC/SYSTEM CNTSEC mdtsys:[exe]CNTSEC.exe

I am questioning the /priv switch. maybe this is the problem?

When the low privileged user attempts to run the application, he sees the following:

$stat <-- symbol defined to start application

%DCL-W-ACTIMAGE, error activating image CNTSEC
-CLI-E-IMGNAME, image file DSA20:[mdtsys.] [exe] CNTSEC
-SYSTEM-F-NOPRIV, insuffcient priviledge or object protection violation.

When I do the following :
$dir cntsec.exe /security

The response is CNTSEC.EXE (RWED, RWED, RE,)


I hope this is enough to maybe jog someone memory about this issue?

Any help would be appreciated, Thnank you!

Phil Tusa

























"I'd rather be a VMS guy, any day of the week!"
4 REPLIES
Hoff
Honored Contributor

Re: insuffcient priviledge or object protection violation

If you need to access a file, you need to match the System, Owner, Group or World mask, or an Access Control List Entry (ACE) in an Access Control List (ACL). Or you need privileges.

Your image has no world access listed. Group access is limited to Read and Execute access, and a key part of the DIRECTORY /SECURITY output that's omitted here is the owner UIC. The Owner UIC for the object (the image file, here) controls which users match the Owner and Group fields within the System - Owner - Group - World protection mask. If this is the trigger (and the ownership of the object does not line up with the UIC of the accessor), then SET PROTECTION=W:RE mdtsys:[exe]CNTSEC.exe might help, or (more targeted) adding an ACL.

If you're familiar with the Unix chown and chmod, it's the same idea. The difference is that Unix lets you set the equivalent of the group, and OpenVMS does not. Within OpenVMS, the group assigned within the UIC value assigned to the user within OpenVMS.

When chasing these NOPRIV errors in general, you can spend your time looking at the various factors, or you can enable the OpenVMS security alarms for file access failures (via SET AUDIT /ALARM /ENABLE... and REPLY /ENABLE=SECURITY; these commands require privileges), then attempt the (failing) file access, and OpenVMS security will tell you what failed; it uses logging built into the OpenVMS NOPRIV processing.

This approach assumes the access failure was generated by an OpenVMS access check, and not by something in the application. You may need to repeat the access, as it is possible to have several protection masks (on files and directories involved) each block access, for instance.

I would encourage a quick skim of the Security Manual, as this will explain terms and concepts, and it'll provide information on ACEs and ACLs, and on Subsystem Identifiers (which can be very handy when working with images that need controlled access), and for information on using security auditing and security alarms. This manual is located in the OpenVMS shelf at:

http://www.hp.com/go/openvms/doc

Stephen Hoffman
HoffmanLabs LLC
labadie_1
Honored Contributor

Re: insuffcient priviledge or object protection violation

Do
$ REPLY/ENABLE=SECURITY
$ SET AUDIT/ALARM/ENABLE=FILE=FAIL=ALL

and throw again your command, and post the output here.
labadie_1
Honored Contributor

Re: insuffcient priviledge or object protection violation

Some nitpciking

$DEFINE/USER/SUPER/EXEC/SYSTEM CNTSEC mdtsys:[exe]CNTSEC.exe

A shorter version is
$DEFINE/EXEC/SYSTEM CNTSEC mdtsys:[exe]CNTSEC.exe

As your define will be in supervisor mode or executive mode or user mode, but not all.

:-)
Robert Gezelter
Honored Contributor

Re: insuffcient priviledge or object protection violation

Phillip,

To confirm Hoff's diagnosis (which I would tend to agree with), perhaps supply us with the DIRECTORY/OWNER results for the file and the group number that you assigned the underprivileged users to.

For future reference, the Guide to System Security (available on http://www.hp.com/go/openvms ) contains a flowchart of access checking.

- Bob Gezelter, http://www.rlgsc.com