Operating System - OpenVMS
1748284 Members
3732 Online
108761 Solutions
New Discussion юеВ

Re: IA64 problem with Shareable Image protection

 
SOLVED
Go to solution
Richard J Maher
Trusted Contributor

Re: IA64 problem with Shareable Image protection

Here's one I prepared earlier :-)

See attached for DIR_WATCH.COM if you (at) that file and then $RUN TEST_DIR from an unprivileged account you'll see what I mean: -

$ dir/full SYS$COMMON:[SYSLIB]DIR_WATCH_EXEC.EXE;1

Directory SYS$COMMON:[SYSLIB]

DIR_WATCH_EXEC.EXE;1 File ID: (2255,11,0)
Size: 51/64 Owner: [SYSTEM]
Created: 12-FEB-2009 06:57:37.77
Revised: 12-FEB-2009 06:57:37.98 (3)

File organization: Sequential
File protection: System:RWED, Owner:RWED, Group:RE, World:E
Access Cntrl List: None
Client attributes: None

Total of 1 file, 51/64 blocks.
$ set proc/priv=(noall,tmpmbx,netmbx)
$ run test_dir
%DCL-W-ACTIMAGE, error activating image DIR_WATCH_EXEC
-CLI-E-IMGNAME, image file RX2600$DKA100:[SYS0.SYSCOMMON.][SYSLIB]DIR_WATCH_EXEC.EXE
-SYSTEM-F-NOPRIV, insufficient privilege or object protection violation

Cheers Richard Maher

*NB* Be advised that some of the attached go operates in Kernel mode. Use at own risk! No warranty express of implied.
Richard J Maher
Trusted Contributor

Re: IA64 problem with Shareable Image protection

Here's some documentation for the routines in the previous example, if it helps any.

Cheers Richard Maher

John Gillings
Honored Contributor

Re: IA64 problem with Shareable Image protection

Richard,

Sorry, I can't run your test - policy regarding privileged programs (if it were an Alpha question I could run it on my home Alpha, but I don't have an IA64 to play with).

The issue may have something to do with the /PROTECT on the installed image, or maybe it's because of the two levels? As a sanity check, could you please try the attached procedure to see if my trivial example works correctly? No kernel mode code, no privilege required. Worst it will do is leave a few files and some logical names defined.
A crucible of informative mistakes
Richard J Maher
Trusted Contributor

Re: IA64 problem with Shareable Image protection

Here 'tis,

$ @john
This should output "Hello World"
Hello World
This should output "Hello World" again
Hello World
This should fail with %TYPE-W-OPENIN
%TYPE-W-OPENIN, error opening DKA0:[TIER3_DEV.GILLINGS]TSHR.EXE;1 as input
-RMS-E-PRV, insufficient privilege or file protection violation
This should fail with %ILINK-F-OPENIN
%ILINK-F-OPENIN, error opening DKA0:[TIER3_DEV.GILLINGS]TSHR.EXE;1 as input
-RMS-E-PRV, insufficient privilege or file protection violation
This should fail with %LIB-E-ACTIMAGE
%LIB-E-ACTIMAGE, error activating image DKA0:[TIER3_DEV.GILLINGS]TSHR.EXE;1
-SYSTEM-W-ACCONFLICT, file access conflict
%TRACE-E-TRACEBACK, symbolic stack dump follows
image module routine line rel PC abs PC
LIBRTL LIB$FIND_IMAGE LIB$FIND_IMAGE_SYMBOL
1812 0000000000002800 FFFFFFFF841BC750
TFIS 0 0000000000020092 0000000000020092
0 FFFFFFFF80B9E492 FFFFFFFF80B9E492
DCL 0 000000000006BD22 000000007AE27D22
%TRACE-I-END, end of TRACE stack dump
%SYSTEM-W-ACCONFLICT, file access conflict
x2084
Trusted Contributor

Re: IA64 problem with Shareable Image protection

The ECO talks about installed images. It talks about mapping global sections. If installed /share, it gives the error, if installed /share=addr it works. The fix is incomplete, it addresses only /share=addr, which the error report was for. Please report the problem to get the fix.
Richard J Maher
Trusted Contributor

Re: IA64 problem with Shareable Image protection

Hi Hartmut,

You're an absolute champion! Should have given your post 10 points.

> if installed /share=addr it works.

Sure does! Can't think of hand why you wouldn't use share=ADDRESS as opposed to vanilla /SHARE but is sounds better than setting protection down to w:Re so I'm off to investigate.

> Please report the problem to get the fix.

Not in a position to do that at the mo, and if Rdb Engineering can't be bothered then it can't be too important :-(

But maybe you can find the guy at VMS responsible who considers regression-testing a clean-compile and Linker-errors a manufacturing issue and get him/her to be a bit more pro-active?

Thanks again.

Cheers Richard Maher
x2084
Trusted Contributor
Solution

Re: IA64 problem with Shareable Image protection

OK, I'll try to find that guy who only made minimal (security related) changes when he took over the image activator (which some people name a complex environment). If nobody wants this fixed in an ECO, it will go into the next
major release.
Richard J Maher
Trusted Contributor

Re: IA64 problem with Shareable Image protection

Hi Hartmut,

Thanks again for your help with this!

Yes, I want it fixed in an ECO, justice *demands* it is fixed in an ECO!

Don't you dare sit there as an appologist for the incompetent that made the original change and ask me to jump through hoops :-(

But as I summed it up recently in a note to the Rdb Listserver: -

----- Original Message -----
From: Richard's Hotmail
To: oraclerdb@jcc.com
Sent: Friday, February 13, 2009 10:40 AM
Subject: Re: IA64 and protection on RDB$COSIP.EXE

In closing: -

- /SHARE=ADDRESS_DATA is starting to look like the mutt's nuts to me (although I too could have lowered the power to the sheilds and set protection to W:RE with far less security implecations in my case.)

- No one here seems too worried that anyone can now LINK or LIB$FIS to RDB$COSIP and chance their arm at some passwords. (I'd take Port Number out of the intrusion detection just in case too)

- I don't have a support agreement nor the rapport you share between VMS and Rdb engineering

As an annoying developer who used to sit across from me had a habit of solutionizing "Someone oughta do something!" :-)

Cheers Richard Maher

----- Original Message -----
From: Norman Lastovica
To: oraclerdb@jcc.com
Sent: Friday, February 13, 2009 9:15 AM
Subject: RE: IA64 and protection on RDB$COSIP.EXE

If there is a problem on VMS, Please do get in touch with HP OpenVMS support directly and they should be able to help you.

From: Richard's Hotmail Sent: Thursday, February 12, 2009 6:48 PM
To: oraclerdb@jcc.com
Subject: Re: IA64 and protection on RDB$COSIP.EXE

Hi Norm,

Thanks for the reply!

It is a bug, but a VMS/IA64 image-activator bug (that wasn't completely fixed) rather than and Rdb kitting bug. Let me illustrate on my lovely RX2600 VMS/IA64 8.3-1H1: -

$ set file/protect=w:e sys$library:rdb$cosip.exe
$ set proc/priv=(noall,tmpmbx,netmbx)
$ mc sql$
SQL> attach 'file mf_personnel user ''tier3_dev'' using ''xxx''';
%SQL-F-ERRATTDEC, Error attaching to database mf_personnel
-RDB-E-UNAVAILABLE, Rdb/Dispatch is not available on your system
-RDB-I-TEXT, %LIB-E-ACTIMAGE, error activating image RX2600$DKA100:[SYS0.SYSCOMMON.][SYSLIB]RDB$COSIP.EXE, -SYSTEM-F-NOPRIV, insuffi
cient privilege or object protection violation
SQL> exit

(See http://forums11.itrc.hp.com/service/forums/questionanswerdo?threadId=1312923 for complete details)

My problem with someone on your side is they they've arbitrarily chosen to just drop the protection on the image rather than pursue VMS Engineering to fix the problem :-(

The work around for Tier3 appears to be to simply install the T3$PRIVATE.EXE and T3$PUBLIC.EXE shareables with the /SHARE=ADDRESS option in the install utility. It would also appear from the following example that this option is not available to RDB$COSIP.EXE: -

$ set proc/priv=all
$ install remove sys$library:rdb$cosip.exe
$ install add sys$library:rdb$cosip.exe/open/head/protected/share=address
%INSTALL-I-NONSHRADR, DISK$I831H1SYS:RDB$COSIP.EXE installed ignoring '/SHARE=ADDRESS'
-INSTALL-E-NOT_MAPPED, target address not mapped
-INSTALL-I-ADDRINFO, %X00060000 (not mapped address, link-time value)

Must be a C language issue :-)

Anyway, please get on to VMS engineering to fix your problem.

Cheers Richard Maher

PS. Anyone know anything bad about installing images /SHARE=ADDRESS as opposed to a vanilla /SHARE?

----- Original Message -----

More stuff . . . .

Cheers Richard Maher
Richard J Maher
Trusted Contributor

Re: IA64 problem with Shareable Image protection

http://www.openvms.org/stories.php?story=09/06/17/4386856

Which would you rather use? (and perhaps have bundled with VMS) Just curious.

Cheers Richard Maher
Ian Miller.
Honored Contributor

Re: IA64 problem with Shareable Image protection

I guess you are comparing your DIR_WATCH_EXEC utility with the recently updated WatchDir from Jim Duff as they appear to perform the same function?

Perhaps you can open a specific thread about that and indicate if there are any particular attributes of the utilities that you wish people to compare?
Robustness, ease of use, documentation, that sort of thing?
____________________
Purely Personal Opinion