Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

using sys$persona_create

SOLVED
Go to solution
vaxine
Occasional Visitor

using sys$persona_create

hi all,
I am having problems using sys$persona_create to assign a username to a process. The calling process has SYSTEM privilege but sys$persona_create function is returning SS$_NOIMPERSONATE error! The SYSTEM privilege contains the IMPERSONATE privilege. Any suggestion will be helpfull.
Thanks

9 REPLIES
Richard J Maher
Trusted Contributor

Re: using sys$persona_create

Hi,

How 'bout: -

$set proc/priv=impersonate

$set proc/priv=detach

Cheers Richard Maher
vaxine
Occasional Visitor

Re: using sys$persona_create

i have tried both!
Richard J Maher
Trusted Contributor

Re: using sys$persona_create

Any chance of showing real commands and real output?
vaxine
Occasional Visitor

Re: using sys$persona_create

The code folllows and it returns SS$_NOIMPERSONATE error.

int sts;
uint persona;

sts = sys$persona_create(
&persona,
opus_descrip(_username),
0,
0,
0);
if ((sts & 1) == 0)
{
set_error(sts);
return false;
}

sts = sys$persona_assume(
&persona,
0,
0);
if ((sts & 1) == 0)
{
set_error(sts);
return false;
}

This process is a server process with SYSTEM privilege (which include IMPERSONATE privilege).
Thomas Ritter
Respected Contributor

Re: using sys$persona_create

uint persona;

How have you define the unsigned int ?
Hoff
Honored Contributor
Solution

Re: using sys$persona_create

Prove it.

Implement and issue a sys$setprv call and light up IMPERSONATE and enough to access SYSUAF (and check for errors from the call) -- or fetch the current privilege mask and see what privilege bits are lit -- just before the failing sys$persona_create call, and call us back with the results.

Don't assume it.

Here's an example program you can start with from within Jim Duff's stash of C code, if your current application code is larger and accordingly unwieldy:

http://www.eight-cubed.com/examples/framework.php?file=sys_persona.c
vaxine
Occasional Visitor

Re: using sys$persona_create

Used sys$setprv and found out that the process has got no privileges! Damn. Is a server process and it basically accepts client's commands ,creates another process(sys$creprc) and executes the command using LOGINOUT and sends the results back to the client.
When the client sends a "show proc/priv" to the server process it returns

User: System

Authorize privileges:
SETPRV ....

Process privileges:
...
impersonate
...

Process rights:
SYSTEM..

But when i check the process privilege in the code using sys$setprv it returns no privileges!
John Gillings
Honored Contributor

Re: using sys$persona_create

vaxine,

I think you need to show us exactly how this process is created. $CREPRC is a deceptively difficult service to use and get precisely the results you require, especially when it comes to quotas and privileges. Running LOGINOUT makes it even trickier.

There are a LOT of notes in the documentation, and numerous combinations of parameters, flags and other item list entities that don't make a whole lot of sense. Make sure you understand exactly what your resultant process should look like, and carefully read through the System Services Reference Manual to work out how to get there.

Be wary of just copying someone elses code without careful analysis and making sure you understand what it's doing. Note that in the official HP course teaching system service programming, there was a moderately serious bug in the $CREPRC example which was undetected for more than a decade. As far as I know it's still there.

I'd recommend starting by making the target image/procedure for your detached process just issue SHOW PROCESS commands to validate that you're getting exactly what you want from the $CREPRC, then worry about implementing more complex stuff like personae.
A crucible of informative mistakes
Richard J Maher
Trusted Contributor

Re: using sys$persona_create

Hi,

Look, I've attached a .COM file that may help. @(at) that with privs on then: -

$set proc/priv=(noall,sysprv)
$run become

and see if you get the same results as I do.

Cheers Richard Maher