Re: run/uic= does not start process as other user

Uwe Zessin · ‎08-09-2004

No, I don't think so. The rightslist contains a mapping between UIC/general identifer (32-bit values) and alphanumeric names (identifiers) - take a dump of RIGHTSLIST.DAT.

While the online help says that you grant an identifier to a user it is technically incorrect. An identifier is assigned to a UIC value - see attached dialogue.

A UIC is a 32-bit value with the MSB=0. A general identifier is a 32-bit value with the MSB=1 [>=80000000(16)]. That is how resource identifiers can work:
- it is a general identifier with the RESOURCE attribute
- the owner of a directory/file is now the general identifier, not a UIC

.

Uwe Zessin · ‎08-09-2004

Oh, sorry. Forgot to attach the file.

.

Antoniov. · ‎08-09-2004

After details about UIC, system ident, etc, I guess Tim may be confused.
Tim,
when I add a new user, to avoid any confusion, I always assign a new UIC and assign new identifier with same UIC.
UAF>ADD newuser /UIC=[g,i]
UAF>ADD/ID newuser /VALUE=UIC:[g,i]
In this way I work in same manner of unix and I see owner of file as username.
I manage little system (less than 100 user) and this simplify my work.

Antonio Vigliotti

Antonio Maria Vigliotti

Uwe Zessin · ‎08-09-2004

Interesting. My experience is that AUTHORIZE automatically adds a UIC-based identifier as long as there is none yet in RIGHTSLIST. And it will even add an identifier for the UIC group if the user's account name does not map to an existing identifier:

UAF> add xyz/uic=[414,414]
%UAF-I-ADDMSG, user record successfully added
%UAF-I-RDBADDMSGU, identifier XYZ value [000414,000414] added to rights database
UAF> add xyz2/uic=[414,414]/account=zxy
%UAF-I-ADDMSG, user record successfully added
%UAF-E-RDBADDERRU, unable to add XYZ2 value [000414,000414] to rights database
-SYSTEM-F-DUPIDENT, duplicate identifier
%UAF-I-RDBADDMSGU, identifier ZXY value [000414,177777] added to rights database
UAF>

.

Martin Vorlaender · ‎08-09-2004

You're right, of course.

I once saw a system where every account was explicitely copied from the default account - without assigning a new UIC. So every user came with a UIC of [200,200]. Not a pretty sight...

What I meant to say: On a properly administered machine, there is a mapping between rights identifiers (equalling usernames) and UICs.

If you do a $ DIRECTORY /OWNER, every username you see is really a UIC seen through that mapping.

cu,
Martin

Jan van den Ende · ‎08-09-2004

Uwe,

yes, that is the current behavior. And I am glad they changed it! Until not-too-long ago, creating a new username with an UIC that had already an associated identifier renamed the value of the identifier to the NEW username, leaving the EXISTING username without an associated identifier value.

Since I have noticed many posters here running older versions of VMS, I think this warning still has value to a lot of people!

But yes, it is good practise to make sure the value you are about to assign is still free.
And maybe in Antonio's case of ~100 users, conflicting assignments can be fairly easily resolved, but imagine 10K + users, in a rather security-sensitive environment like ours...
That makes it absolutely ESSENTIAL to have stickt procedures, with validation before action, in place.

Jan

Don't rust yours pelled jacker to fine doll missed aches.

Uwe Zessin · ‎08-09-2004

Jan,
as far as I can tell this has never been the case (and I started using identifier on VAX/VMS V4.x), but I might mis-understand you.

Assume you have user U1 with UIC: [2,1] and identifier U1 with the same UIC.

Now you create user U2 with UIC: [2,1], too. I have never ever seen that identifier U1 was renamed to U2 as you claim.

The problem starts when the system manager realizes his error and changes the UIC of user U2 to another value, lets say [3,1]. In this case the system grabs identifier U1 and changes its UIC to [3,1]. Great!

Now you have:
- user U1, UIC: [2,1], no identifier for UIC:[2,1]
- user U2, UIC: [3,1]
- identifier U1, UIC=[3,1]

The correct way would be:
UAF> modify U2/uic=[3,1]/nomodify_identifier
UAF> add/identifier U2 /value=uic=[3,1]

.

Antoniov. · ‎08-10-2004

Jan,
even I have little system, because I'm lazy I wrote a little DCL procedure to add new user. So I don't search for avaiable UIC and I create home directory too with standard LOGIN.COM; also I set pwdlifetime and temporary standard password /PWDEXPIRED.
Then my user enter into system and change his own password.
I never meet problem about UIC or similar.

Antonio Vigliotti

Antonio Maria Vigliotti

Martin Vorlaender · ‎08-10-2004

Antoniov,

you mean like SYS$EXAMPLES:ADDUSER.COM ?

;-)

cu,
Martin

Antoniov. · ‎08-10-2004

No Martin,
I wrote a simple standard procedure; first of this because I use semigraphical environment to make all system feature.
I release theese utility to my customers that are very beginner users.
They can add a new user among 3 profiles, enable/disable user, force temporary password when somebody forgot it and a few other options.
Obviously I read ADDUSER.COM before, some years ago.

Antonio Vigliotti

Antonio Maria Vigliotti

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: run/uic= does not start process as other user