Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

user priviledges

 
SOLVED
Go to solution
Eric_369
Advisor

user priviledges

I am using the install utility to create known file entries, for my "C" applications, with enhanced privledges (bypass).
These applications are run by users who have minimal dollar-sign ($) priviledges. The applications are given
world execute protection so the users can run them. One of the applications that is run by minimal priviledged users
has system call sys$sndjbcw which completes with a good status. This system call runs a command file, with logging, which
runs an application. In the log created by this system call I get the following error:

Error opening primary input file SYS$INPUT
Insufficient privilege or file protection violation

and the command file quits.


I modified the priviledges for this minimalized user to have READALL as a default priviledge. Now, the command file runs
the application just fine and I get the following error at the beginning of the log file:

%DCL-W-UNDFIL, file has not been opened by DCL - check logical name

Can you tell me where this error is coming from and how to get rid of it?
24 REPLIES
Bojan Nemec
Honored Contributor
Solution

Re: user priviledges

Eric,


"Error opening primary input file SYS$INPUT
Insufficient privilege or file protection violation"

Be shure that this user can read the command procedure you submit with the sys$sndjbcw system service. Change the file protection not the user privileges.

Bojan
Bojan Nemec
Honored Contributor

Re: user priviledges

Sorry,

I didnt ansawer to yours second question.

Try to put a $ SET VERIFY at the beginning of the command procedure and see which command generates the error.

And now I see that you are new to this forum so:

Welcome to the VMS forum!

Bojan
Willem Grooters
Honored Contributor

Re: user priviledges

Check file IO in the commandprocedurfe and be sure to have /ERROR=
Willem Grooters
OpenVMS Developer & System Manager
Eric_369
Advisor

Re: user priviledges

Bojan,
Thanks! I decreased the user priviledge and changed the command file protection and it worked great; however, the second error:

%DCL-W-UNDFIL, file has not been opened by DCL - check logical name,

appears before the "set verify" command in the command file, like so:

%DCL-W-UNDFIL, file has not been opened by DCL - check logical name
$SET VERIFY
....

Eric
Eric_369
Advisor

Re: user priviledges

Willem,
In the following command snippet you posted do I use the name of my command procedure in the field?

$ OPEN/ERROR=No_infile IN
$! do your stuff
$! at end of process:
$ goto endjob
$!
$ No_Infile:
$! Just ean example!
$ S = $STATUS
$ write sys$output "Error opening file"
$!
$endjob:
$ IF F$TRNLNM("IN") .NES. "" then close IN
$ EXIT 'S'

Phillip Thayer
Esteemed Contributor

Re: user priviledges

Sounds like maybe the process login.com or system sylogin.com may be trying to open or read a file that has not been opened yet. Look through those and see if there is any files that abe being used.

Phil
Once it's in production it's all bugs after that.
Bojan Nemec
Honored Contributor

Re: user priviledges

Eric,

Use the same technique with the sys$sylogin and the login procedure. Put set verify at the begining of this files. To avoid displaying on interactive terminals which can confuse normal users you can do a set verify only for batch jobs:

$ IF F$MODE().EQS."BATCH" THEN SET VERIFY

Bojan
Antoniov.
Honored Contributor

Re: user priviledges

Eric,
nice to meet you.

If you have V7.3 you can simply define
$ DEFINE/SYS SYLOGIN_VERIFY TRUE
After of this all login procedure have set verify enable. When you deass SYLOGIN_VERIFY, verify turn off. In this way you have no to modify command procedures.

Antonio Vigliotti
Antonio Maria Vigliotti
Eric_369
Advisor

Re: user priviledges

All,
Thank you for welcoming me to this site. It is a site I've desired for a very long time. Your help was much appreciated and your comments led me to the solution of my problem.

The problem was in my login.com file. There I had the following command:

Write sys$output: f$time()

I change it to:

Write sys$output f$time()

removing the colon after sys$output, and everything worked perfectly!

There was one thing I didn't understand. That login.com and sylogin.com were called when I run a batch job. Does this mean that when I run a batch job as a user that I am logging into the system again in "batch mode" to process the command file?

Lawrence Czlapinski
Trusted Contributor

Re: user priviledges

Eric: Yes, when you run a batch job, you are logging in again in BATCH mode.
If you do work between clusters or non-clustered nodes, you logon in NETWORK mode.
Lawrence
Uwe Zessin
Honored Contributor

Re: user priviledges

BYPASS is a _very_ dangerous privilege.

I hope you have properly written your program so that it only enables BYPASS when it really needs it.

Imaging the following case:
- you programm sends some output to the terminal
- your 'unprivileged' user executes the following command
-- before (s)he runs you program
$ define sys$output sys$common:[sysexe]sysuaf.dat;0

Guess what will happen?
.
Eric_369
Advisor

Re: user priviledges

Uwe,
I will consider this concern and look into it. The major safety measure is that the 'unpriviledged' user is logged into a captive account and has no '$' access. At no point in time does any program change sys$output. I imagine that it could be done from by a higher level user across a processes! Is this a possibility?
Eric
Uwe Zessin
Honored Contributor

Re: user priviledges

Yes, a captive account reduces the risk.

It depends on the capability of these 'higher-level' users whether they can do any damage that way. Do they need access to those privileged programs, too? Can you block access from them?
.
Eric_369
Advisor

Re: user priviledges

Uwe,
A point that I'd forgotten about concerning the 'unpriviledged' user is that they don't have the priviledge of using the define command even if they could get to the dollar sign.

Second, there is only one user with priviledge enough to do what I suggested and that is the system administrator.

Eric
John Gillings
Honored Contributor

Re: user priviledges

Eric,

> they don't have the priviledge of
>using the define command even if
>they could get to the dollar sign.

Nevertheless! When designing a program which will be installed with any privilege, it is still prudent to always disable any unnecessary privileges as the first executable statement in the program, then enable privileges immediately before they are required and disable them immediately afterward they are used.

If you're running V7.3 or higher, you can use INSTALL/AUTHPRIVILEGE=(BYPASS) to give the image the ability to enable BYPASS, but not have it enabled upon image activation.

If at all possible, use this option instead of INSTALL/PRIVILEGE (but even then, being paranoid about this type of thing, I would STILL strongly recommend having a $SETPRV(NOALL,TMPMBX,NETMBX) as the first executable statement)

Furthermore, you should protect the image so it can only be executed by authorized users. WORLD EXECUTE is NOT good. Use an ACL to limit access to users holding a rights identifier.

Although what you say may be true right now, you don't know if someone is going to add new users with different access rights to the system in future, nor do you know what changes may be made to the program. There are just too many possible ways exploit a privileged image.

All that said, it sounds like your application would be better implemented using a Project Directory (see OpenVMS Guide to System Security, Section 8.8.1.2.2 http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/00/00/78-con.html#projectaccountssettingup ), or as a "protected subsystem" http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/00/01/112-con.html#projectaccountsasprotectedsubsystems

Either of these mechanisms should give you the ability to create a far more precise solution in a much more secure manner, and without the inherent limitations of protected images.

BYPASS and READALL are THERMONUCLEAR hammers. If you find yourself resorting to using them to solve relatively simple problems, you should see big red flags and LOUD alarm bells. Think "huge security hole waiting to be exploited". OpenVMS has a very rich variety of security control mechanisms, please use them to keep your system secure.
A crucible of informative mistakes
Uwe Zessin
Honored Contributor

Re: user priviledges

Eric,
I might have misunderstood you, but the DEFINE command itself does not need a privilege. You can create logical names in your process and job logical name tables without additional privileges.
.
Antoniov.
Honored Contributor

Re: user priviledges

Eric,
my working user has no priviledge and I daily work without any trouble. Just for system manteinance I have to use SYSTEM.

Antonio Vigliotti
Antonio Maria Vigliotti
Willem Grooters
Honored Contributor

Re: user priviledges

Eric,

The snipplet is just an example how I would do IO in a command procedure. is the file you open to process. At any point you can get the error you found when you access a file not opened when expected like on READ, WRITE or CLOSE.
That this would happen with SYS$OUTPUT is a strange thing anyway.

I have to agree on the security issue, with all. BYPASS should NOT be used unless all other facilities fail.
IMHO a user environment should be such that no other privileges than normally granted (TMPMBX and NETMBX) are required. You can do so by setting up the right directory structures, protect them and all subsequent files by UIC, ACL or both. Use rights identifiers that can dynamicly be granted to users to access files they normally do not have to, at the moment they need that access.
There are just a few issues that require extra privileges, and then use John Gilling's suggestion to enable them just when needed and disable them afterwards.

Willem

Willem Grooters
OpenVMS Developer & System Manager
Eric_369
Advisor

Re: user priviledges

All,
Thank you for the help. It is refreshing to be corrected and shown the pitfalls of a particular course of action. In this case using (BYPASS) priviledges on an executable. Instead of writing 3 or 4 replies I'll try to do it in just one, responding to each post.


Uwe wrote:
>>
Eric,
I might have misunderstood you, but the DEFINE command itself does not need a privilege. You can create logical names in your process and job logical name tables without additional privileges.
<<

Uwe,
I tried using the define command at the prompt for the 'unpriviledged' user and the system wouldn't let me do it. In order to get to the prompt I had to make the 'unpriviledged' user non-captive.
Eric

Antonio wrote:
>>
Eric,
my working user has no priviledge and I daily work without any trouble. Just for system manteinance I have to use SYSTEM.

Antonio Vigliotti
<<

Antonio,
This is goal I have in mind! All users will be 'unpriviledged.' Our support staff will be the only 'priviledged' or SYSTEM users.
Eric

Willem wrote:
>>
Eric,

The snipplet is just an example how I would do IO in a command procedure. is the file you open to process. At any point you can get the error you found when you access a file not opened when expected like on READ, WRITE or CLOSE.
That this would happen with SYS$OUTPUT is a strange thing anyway.

I have to agree on the security issue, with all. BYPASS should NOT be used unless all other facilities fail.
IMHO a user environment should be such that no other privileges than normally granted (TMPMBX and NETMBX) are required. You can do so by setting up the right directory structures, protect them and all subsequent files by UIC, ACL or both. Use rights identifiers that can dynamicly be granted to users to access files they normally do not have to, at the moment they need that access.
There are just a few issues that require extra privileges, and then use John Gilling's suggestion to enable them just when needed and disable them afterwards.

Willem
<<

Willem,
Now I understand what you were getting at with IO in a command procedure.

The issue with sys$output was that instead of writing to (sys$output) in batch mode it was writing to (sys$output:) a device that doesn't exist. I guess putting a colon after sys$output made it unrecognizable as a device/file.
Concerning the (BYPASS) issue with my executables, you all have helped me see the error of my way!
Eric


John wrote:
>>
Eric,

> they don't have the priviledge of
>using the define command even if
>they could get to the dollar sign.

Nevertheless! When designing a program which will be installed with any privilege, it is still prudent to always disable any unnecessary privileges as the first executable statement in the program, then enable privileges immediately before they are required and disable them immediately afterward they are used.

If you're running V7.3 or higher, you can use INSTALL/AUTHPRIVILEGE=(BYPASS) to give the image the ability to enable BYPASS, but not have it enabled upon image activation.

If at all possible, use this option instead of INSTALL/PRIVILEGE (but even then, being paranoid about this type of thing, I would STILL strongly recommend having a $SETPRV(NOALL,TMPMBX,NETMBX) as the first executable statement)

Furthermore, you should protect the image so it can only be executed by authorized users. WORLD EXECUTE is NOT good. Use an ACL to limit access to users holding a rights identifier.

Although what you say may be true right now, you don't know if someone is going to add new users with different access rights to the system in future, nor do you know what changes may be made to the program. There are just too many possible ways exploit a privileged image.

All that said, it sounds like your application would be better implemented using a Project Directory (see OpenVMS Guide to System Security, Section 8.8.1.2.2 http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/00/00/78-con.html#projectaccountssettingup ), or as a "protected subsystem" http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/00/01/112-con.html#projectaccountsasprotectedsubsystems

Either of these mechanisms should give you the ability to create a far more precise solution in a much more secure manner, and without the inherent limitations of protected images.

BYPASS and READALL are THERMONUCLEAR hammers. If you find yourself resorting to using them to solve relatively simple problems, you should see big red flags and LOUD alarm bells. Think "huge security hole waiting to be exploited". OpenVMS has a very rich variety of security control mechanisms, please use them to keep your system secure.
<<

John,
Thank you for the advice and links to properly implementing security on my system.
Eric
Uwe Zessin
Honored Contributor

Re: user priviledges

Ah, thanks for the Captive reminder - you're right for interactive use.

Did you protect the account against NETWORK logins, too? For example, I can FTP into a captive username and modify LOGIN.COM unless I do:
UAF> modify USER1 /nonetwork

$ ftp localhost
220 athena.&&&&&.de FTP Server (Version 5.4) Ready.
Connected to LOCALHOST.
Name (LOCALHOST:zessin): nopriv
331 Username nopriv requires a Password
Password:
230 User logged in.
FTP> get login.com l.txt
200 TYPE set to IMAGE.
200 PORT command successful.
150 Opening data connection for USER_&&&:[NOPRIV]login.com; (127.0.0.1,51364) (10 bytes)
226 Transfer complete.
local: &&&l.txt;1 remote: login.com
10 bytes received in 00:00:00.01 seconds (0.75 Kbytes/s)
FTP> put l.txt login.com
200 PORT command successful.
150 Opening data connection for USER_&&&:[NOPRIV]login.com; (127.0.0.1,51365)
226 Transfer complete.
local: &&&l.txt;1 remote: login.com
10 bytes sent in 00:00:00.02 seconds (0.35 Kbytes/s)
FTP>

(I've replaced some security-related information with &&&)
.
Eric_369
Advisor

Re: user priviledges

Uwe,
I followed the instructions in your post and the account is such that I cannot "get" a file from the server using ftp in the 'nopriviledge' account.
Eric
Robert Gezelter
Honored Contributor

Re: user priviledges

Eric,

Reading the dialogue, it is not clear to me that what your "unprivileged" account is configured as. An attachment of the SHOW /FULL from within AUTHORIZE would be helpful.

Also helpful would be a log of the terminal session that show the FTP problem.

To do many tasks, an unprivileged user will need to have the innocuous NETMBX and TMPMBX privileges. Beyond that, no normal user should need to have any additional privileges for a routine application. In almost every case (and I can count the exceptions on one hand in over twenty five years), there is no need for additional privileges for users. ACLs of various forms allow access to files and devices.

In each case where I have been called to deal with a situation such as you describe, the problem has been incorrect protections and ACLs on files. This is emminently correctable. In fact, I have presented a session (at HP World 2004) that demonstrated how you can manage huge environments without granting users privileges (see http://www.rlgsc.com/hpworld/2004/N227.html).

In short, giving out READALL and BYPASS is a very bad idea.

- Bob Gezelter, http://www.rlgsc.com
Eric_369
Advisor

Re: user priviledges

Robert,
I apologize for being slow about getting back to your question. Below are the priviledges of the 'nonpriviledge' account, the security on the login.com file, and ftp log. I think it's the security on the login.com file that disallows 'get' priviledge.

What I am trying to accomplish is minimalize the priviledges of 'regular' users while allowing them to execute my applications which read, write, and update rms files, print to printers, and run batch jobs.

Eric

User priviledges:

Username: TEST Owner: TEST A. USER
Account: UIC: [11,1] ([11,1])
CLI: DCL Tables: DCLTABLES
Default: DISK$USERS:[TEST]
LGICMD:
Flags:
Primary days: Mon Tue Wed Thu Fri
Secondary days: Sat Sun
No access restrictions
Expiration: (none) Pwdminimum: 6 Login Fails: 0
Pwdlifetime: 90 00:00 Pwdchange: 29-AUG-2005 16:03
Last Login: 3-SEP-2005 13:01 (interactive), 3-SEP-2005 13:01 (non-interactive)
Maxjobs: 0 Fillm: 100 Bytlm: 64000
Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0
Maxdetach: 0 BIOlm: 150 JTquota: 4096
Prclm: 8 DIOlm: 150 WSdef: 8000
Prio: 4 ASTlm: 250 WSquo: 8000
Queprio: 4 TQElm: 10 WSextent: 16384
CPU: (none) Enqlm: 2000 Pgflquo: 50000
Authorized Privileges:
LOG_IO MOUNT NETMBX OPER PHY_IO TMPMBX
Default Privileges:
LOG_IO MOUNT NETMBX OPER PHY_IO TMPMBX



login.com security:

[RX-DEV]dir/sec login.com

Directory TTM_USERS:[TEST]

LOGIN.COM;38 [1,1] (RWED,RWED,RE,E)












ftp log:

$ !
$ ! File name: TCPIP$FTP_SERVER.COM
$ ! Product: HP TCP/IP Services for OpenVMS
$ ! Version: V5.5-11
$ !
$ ! © Copyright 1976, 2004 Hewlett-Packard Development Company, L.P.
$ !
$ ! Confidential computer software. Valid license from HP and/or its
$ ! subsidiaries required for possession, use, or copying.
$ !
$ ! Consistent with FAR 12.211 and 12.212, Commercial Computer Software,
$ ! Computer Software Documentation, and Technical Data for Commercial
$ ! Items are licensed to the U.S. Government under vendor's standard
$ ! commercial license.
$ !
$ ! Neither HP nor any of its subsidiaries shall be liable for technical
$ ! or editorial errors or omissions contained herein. The information
$ ! in this document is provided "as is" without warranty of any kind
$ ! and is subject to change without notice. The warranties for HP
$ ! products are set forth in the express limited warranty statements
$ ! accompanying such products. Nothing herein should be construed as
$ ! constituting an additional warranty.
$ !
$ set noon
$ set symbol /scope=(nolocal,global)
$ set symbol /scope=(nolocal,noglobal)/verb
$ !
$ ! start ftp child process
$ !
$ run:
$ run SYS$SYSTEM:TCPIP$FTP_CHILD.EXE
$ !
$ ! completed ftp child execution
$ !
$ exit:
$ exit $status .or. %x10000000
TEST job terminated at 6-SEP-2005 08:44:15.19
Accounting information:
Buffered I/O count: 80 Peak working set size: 7920
Direct I/O count: 50 Peak virtual size: 182112
Page faults: 566 Mounted volumes: 0
Charged CPU time: 0 00:00:00.08 Elapsed time: 0 00:14:08.07
Uwe Zessin
Honored Contributor

Re: user priviledges

> UIC: [11,1]

That looks like you are aware of the feature of the system parameter MAXSYSGROUP, aren't you? ;-)
.