Re: run/uic= does not start process as other user

Tim Nelson · ‎08-09-2004

I am running a detached process but would like it to execute under another user. Below is the run command and switches but the process still runs as "system" not the user "cron". The user named "CRON" is set up with difference quotas in SYSUAF.
I have read and read but cannot find what I am doing wrong. Any ideas ?? Thanks !!!
$ run -
/detach -
/input = admin:[util.cron]cron.com -
/output = admin:[util.cron.log]cron.log -
/error = admin:[util.cron.log]cron.error -
/process = "Cron_DAEMON" - /queue_limit = 30 -
/subprocess_limit = 50 -
/page_file = 10000 -
/time_limit = 0 -
/extent = 1024 -
/file_limit = 50 -
/uic = [CRON] -
/prior=10 -
/authorize -
sys$system:loginout.exe

Uwe Zessin · ‎08-09-2004

Tim,
a username is not the same as a UIC (user identification code). The UIC (a 32-bit value) is used for protection checks, but the username (1 to 12 characters) is used for authentication.

There can be multiple usernames with the same UIC in the SYSUAF.

In the past I used an implementation of CRON that started the user's jobs with a 'SUBMIT/USERNAME'. That has the advantage that this is a completely different process that runs with the correct username, the correct quotas, privileges and rightslist identifiers.

If you start the user's jobs as a subprocesses you should note that they will also share the pooled quotas like PGFLQUO with the master process (CRON).

You might be able to worm around the username problem with one of the newer system services like SYS$PERSONA_?, but I don't have experience with them and the problem of pooled quotas is still there.

.

Tim Nelson · ‎08-09-2004

So what you are saying is a run/detach/uic=[x,x] is not the same as submit/user=username

Right ?

Tim Nelson · ‎08-09-2004

Sorry I know that last statement has a lot of comments that could be written. Let me restate.

Assuming all the other stuff is known. i.e. run/detached and submit to queue are obviously completely different in nature.

submit/user=USERNAME exeutes the process just like the USER entered it themselves. Uses full user envrironment based and SYSUAF entries.

run/uic= executes the process but only uses the defined uic with regards to file security but does not "become" the user completely like the submit/user does.

Sorry for leaving that one so open. :(

Uwe Zessin · ‎08-09-2004

Yes.
Yes.
Yes.
Yes.

Clearer now? ;-)

In older versions of VMS it was easy to do 'SET UIC [g,m]'. Well, you can still do it, but today we have ownership and protections on many objects that it does not really make sense.

Do a 'SHOW LOGICAL/FULL /TABLE=LNM$JOB', for example. I think you can understand that a change of your UIC can easily remove access to your own job logical name table where names like SYS$LOGIN reside.

.

Tim Nelson · ‎08-09-2004

Glad you straitened me out on that one !! :)

Thanks again, over and over.

(as you have figured out by now I am a UNIX guy, now delving into the wonderfull world of VMS)

Uwe Zessin · ‎08-09-2004

Each 'Yes' was supposed to answer one question - I hope I got that right.

You know, there are 3 types of people, those who can count and those who cannot ;-)

There is nothing wrong being a Unix guy. Perhaps, one day, you can help me with a HP-UX question.

.

Tim Nelson · ‎08-09-2004

Yep, I got it.

More than happy to help with HPUX. I have 25 E - RP class servers and have experienced alot of things over the last 12 years.

Let me know if I can ever help.

Thanks !

Antoniov. · ‎08-09-2004

Hi Tim,
I guess you are an unix person so in another thread I posted some link for unix/vms conversion commands.
From unix to vms
http://www.think-forward.com/tips/Ivmsunix.htm
http://www.ctstateu.edu/help/unix/vms2unix.html
http://wwwvms.mppmu.mpg.de/vmsdoc/UNIX_VMS_CMD_XREF.HTML
From vms to unix
http://www.bc.edu/offices/ats/rits/research/hardware/howto/usingunix/vmstounix/
http://www.mssl.ucl.ac.uk/www_computing/buns/vms_to_unix.html

About difference between submit and run/uic, submit limit numer of job (may be 1 job for time too) while run/uic execute always the process.
Submit add a new process to a batch queue and if batch is busy, process stay holding until queue become avaiable; when batch queue is created you can define the max # of job:
$ INIT/QUEUE /BATCH/JOB=#

Antonio Vigliotti

Antonio Maria Vigliotti

Martin Vorlaender · ‎08-09-2004

Uwe wrote:
>>>
a username is not the same as a UIC (user identification code). The UIC (a 32-bit value) is used for protection checks, but the username (1 to 12 characters) is used for authentication.

There can be multiple usernames with the same UIC in the SYSUAF.
<<<

To extend that a bit: there's a translation table between UICs and usernames in the file RIGHTSLIST.DAT (normally in SYS$SYSTEM:).

If you have access to that file, using the AUTHORIZE utility you can list the translations using

UAF> SHOW /IDENTIFIER /USER=* ! sorted by username
UAF> SHOW /IDENTIFIER /USER=[*,*] ! sorted by UIC

HTH,
Martin

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: run/uic= does not start process as other user

run/uic= does not start process as other user