- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: read only access using authorize ?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-10-2006 07:16 PM
тАО04-10-2006 07:16 PM
Re: read only access using authorize ?
http://vms.process.com/fileserv_search.html
Enter GETUAI as the search term.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-10-2006 07:37 PM
тАО04-10-2006 07:37 PM
Re: read only access using authorize ?
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-10-2006 08:34 PM
тАО04-10-2006 08:34 PM
Re: read only access using authorize ?
DAYLISTUAF runs in batch with privileges and lists the records.
WHOUAF allows the users to search those listings.
Both are attached.
Rob.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-10-2006 08:34 PM
тАО04-10-2006 08:34 PM
Re: read only access using authorize ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-11-2006 05:00 PM
тАО04-11-2006 05:00 PM
Re: read only access using authorize ?
A quick and dirty way to do what you want...
First put an ACE on SYSUAF granting READ access to your non-privileged users.
When they want to read stuff, make a temporary COPY of SYSUAF (with both read and write access), then run AUTHORIZE against it:
READUAF.COM
$ COPY SYS$SYSTEM:SYSUAF.DAT -
SYS$SCRATCH:SYSUAF.DAT
$ DEFINE/USER SYSUAF SYS$SCRATCH:SYSUAF.DAT
$ DEFINE/USER SYS$INPUT SYS$COMMAND
$ MCR AUTHORIZE
$ DELETE SYS$SCRATCH:SYSUAF.DAT;*
This won't stop users from issuing AUTHORIZE commands which modify the file, but they'll only be executed against the scratch copy.
Note that in general it's not a good idea to give people read access to SYSUAF - it gives crackers a head start, as they know what usernames to probe. If you go this path, make sure the scratch copies are also protected from general access, and deleted after use.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-11-2006 06:58 PM
тАО04-11-2006 06:58 PM
Re: read only access using authorize ?
Another way that still allows maximum security is to create a CAPTIVE account that is shared by all users under which a menu structure enables them to perform their most common actions.
For instance:
Menu
1. Check account last login
2. Check account status
...
etcetera
The DCL script that runs behind the CAPTIVE account can read the input from the menu, followed by for instance reading the account name and then execute the authorize utility with the appropriate command.
This prevents users from issuing commands within the authorize utility themselves and because of the behavior of the CAPTIVE account they will not be able to break out of the routine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-17-2006 08:06 PM
тАО04-17-2006 08:06 PM
Re: read only access using authorize ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-17-2006 09:45 PM
тАО04-17-2006 09:45 PM
Re: read only access using authorize ?
http://wwwvms.mppmu.mpg.de/vmssig/src/for/last_login.for
It shows how to loop over all accounts (SYS$IDTOASC) and $getuai to extract whatever info.
The $idtoasc call is the key to wildcard $getuai.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-29-2006 10:30 PM
тАО04-29-2006 10:30 PM
Re: read only access using authorize ?
It may not assist you in your current task but the attached file was used to allow Rdb users (with access to the stored function) access to a user's default directory.
FWIW.
Cheers Richard Maher
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-29-2006 10:49 PM
тАО04-29-2006 10:49 PM
Re: read only access using authorize ?
Having said that, Stephen Hoffman (of VMS engineering) says: -
1) "It's unsupported to call anything outside the kernel from inner-mode code."
2) If it's loaded and activated separately or otherwise not part of the kernel, it's not necessarily safe to call it from inner-mode
3) And in any event, inner-mode code cannot call RTL calls.
4) You can't call RTLs from inner-mode code.
5) You can't call user-mode code and user-mode RTLs from inner-mode code.
6) You can't call user-mode code from inner-mode code.
7) And AFAIK, it is not safe to call sys$getuai, since this call is
implemented as a UWSS and not as part of the kernel -- the LOADSS calls
needed to use outer-mode APIs as part of their operations, so the LOADSS
APIs are not directly part of the kernel.)
*****************************
Now, my name's Richard Maher and I say that on this particular subject Stephen Hoffman is talking crap. (This will inevitably trigger another sycophantic ITRC no-hoper to delete this entry, but hey, what can you do?
Regards Richard Maher
PS. See attached example of accessing SYSUAF directly if you believe Hoff.
PPS. Ask Hein what he thinks.