HPE Community
Operating System - OpenVMS
1754362 Members
4733 Online
108813 Solutions
New Discussion юеВ

Re: execute acces on SYSUAF.DAT

 
Bruno Seghers
Advisor

тАО07-11-2006 01:26 AM

тАО07-11-2006 01:26 AM

execute acces on SYSUAF.DAT

Hi,

I install a patch on a third party Scheduler product ($U from Orsyp). Since this moment, I have security problems on the SYSUAF.DAT file.
Users who runing task under the scheduler generate a protection error : they try to access the SYSUAF.DAT in execute mode.

My question is : what is the risk to give (w:E) protection on SYSUAF.DAT. In the VMS doc I only see that execute access is to authorize to run a image or to @ a dcl file.

Thanks for help

Seghers Bruno
0 Kudos
Reply
7 REPLIES 7
Wim Van den Wyngaert
Honored Contributor

тАО07-11-2006 02:02 AM

тАО07-11-2006 02:02 AM

Re: execute acces on SYSUAF.DAT

Hi Bruno,

Long time no see.

I have no knowledge of side effects except that you can @ the sysuaf file.
BTW : over here they are RE with no side effects.

CU

Wim
Wim
0 Kudos
Reply
Volker Halle
Honored Contributor

тАО07-11-2006 02:11 AM

тАО07-11-2006 02:11 AM

Re: execute acces on SYSUAF.DAT

Wim,

setting SYSUAF.DAT to WO:RE is an invitation to hackers to try and crack your passwords.

The default protection for SYSUAF.DAT would be: SYSTEM:RWED, OWNER:RWED and nothing else.

Volker.
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

тАО07-11-2006 02:19 AM

тАО07-11-2006 02:19 AM

Re: execute acces on SYSUAF.DAT

If you give W:R to the sysuaf, a user could do open/share=read/read and thus prevent other processes from updating it. This could cause hanging processes (password changes, update date last login, etc).

Wim
Wim
0 Kudos
Reply
Ian Miller.
Honored Contributor

тАО07-11-2006 02:46 AM

тАО07-11-2006 02:46 AM

Re: execute acces on SYSUAF.DAT

is the product asking for execute only or read and execute (the audit entry should tell you)?
____________________
Purely Personal Opinion
0 Kudos
Reply
Bruno Seghers
Advisor

тАО07-11-2006 02:49 AM

тАО07-11-2006 02:49 AM

Re: execute acces on SYSUAF.DAT

Execute only
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

тАО07-11-2006 02:51 AM

тАО07-11-2006 02:51 AM

Re: execute acces on SYSUAF.DAT

I tested it and with RE your system gets in hung after open/read/share=read.

In accounting : error accessing system authorization file and this for all new processes.

Wonder what other files I could use in this way ... should check *.dat at least.

Wim
Wim
0 Kudos
Reply
Ian Miller.
Honored Contributor

тАО07-11-2006 02:58 AM

тАО07-11-2006 02:58 AM

Re: execute acces on SYSUAF.DAT

The original question is about the risk of execute only access for world.

One way of restricting this risk would be to add an ACL with a ACE grating execute access to holders to a specific idenitifer. Then grant that identifier to users who need to run a task under the scheduler.

I think that the locking problem mentioned above needs read access.
____________________
Purely Personal Opinion
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.