HPE Community
Operating System - OpenVMS
1827293 Members
2827 Online
109717 Solutions
New Discussion

F$SETPRV()

 
Kenneth Toler
Frequent Advisor

‎10-08-2008 12:25 PM

‎10-08-2008 12:25 PM

F$SETPRV()

I am using OpenVMS 8.3.

What are the necessary priviledges to be able to delete a VMS file using the F$SETPRV() lexical?
0 Kudos
10 REPLIES 10
Jon Pinkley
Honored Contributor

‎10-08-2008 12:48 PM

‎10-08-2008 12:48 PM

Re: F$SETPRV()

This is similar to asking

"What is the proper torque to tighten a bolt"

It depends.

The answer to your question is:

It depends on what protection is applied to the file, and how they apply to the process requesting the deletion. The process needs delete access to the file, and write access to the directory that the file is entered in.

If you want to be able to delete the file regardless of the protection, then the VMS privilege that will grant that is BYPASS. But hopefully that isn't available.

Jon
it depends
0 Kudos
Kenneth Toler
Frequent Advisor

‎10-08-2008 01:10 PM

‎10-08-2008 01:10 PM

Re: F$SETPRV()

I am required to replace the BYPASS priviledge with other priviledges so that I will not have to use the BYPASS priviledge.
0 Kudos
Jon Pinkley
Honored Contributor

‎10-08-2008 01:13 PM

‎10-08-2008 01:13 PM

Re: F$SETPRV()

Who owns the files?

What is the protection?

I.e. if you do a

$ directory/security file.dat

what does it show?
it depends
0 Kudos
Robert Gezelter
Honored Contributor

‎10-08-2008 01:33 PM

‎10-08-2008 01:33 PM

Re: F$SETPRV()

Kenneth,

Please consider the possibility of using an ACL to permit deletion of the file. That will remove the need for any privilege (although the anointed users will need to hold the Identifier). This is also a far easier alternative for auditors to accept.

The privilege level, on the other hand, can be easily mis-used. Depending upon where the file is and how it is protected, GRPPRV or SYSPRV suffice for most files. However, each is more easily abused (in increasing order of severity).

As mentioned earlier in this post, whenever similar situations arise at clients, I always recommend using ACLs and identifiers, it is far safer.

- Bob Gezelter, http://www.rlgsc.com

0 Kudos
Steven Schweda
Honored Contributor

‎10-08-2008 01:56 PM

‎10-08-2008 01:56 PM

Re: F$SETPRV()

If you wish to delete a file, having
appropriate protection on the file can help.
If that's too hard, then an ACL can help.
If that's too hard, then BYPASS can help.

> [...] I am required to replace the BYPASS
> priviledge [...]

"privilege". ("HELP SET PROCESS".)

Why did you need BYPASS before? How many
other good suggestions will you say are not
allowed only after someone has made them?

It's often helpful to describe the actual
problem to be solved, including the
constraints on the solution, rather than to
ask how to implement some particular
(possibly lame) (non-)solution to that
problem.
0 Kudos
Hoff
Honored Contributor

‎10-08-2008 02:10 PM

‎10-08-2008 02:10 PM

Re: F$SETPRV()

I will here make multiple leaps and several guesses and an odd assumption or three here around the purposes and goals, and guess that the appropriate solution for the intended question is a resource identifier and an ACL. The resource identifier means you can have a pool of storage that designated processes can use (it can have a quota) and the identifier also means that a mixture of processes can manage a group of files without privileges.

Another approach is an image that is installed with BYPASS (or configured with a subsystem identifier) that can perform necessary verifications and delete the file as appropriate.

But in seriousness here, the lack of background information and the lack of a general problem description means no certain answer is possible. We can guess.
0 Kudos
Hein van den Heuvel
Honored Contributor

‎10-08-2008 03:13 PM

‎10-08-2008 03:13 PM

Re: F$SETPRV()

Guys, tune down the pshysic powers and just stick to the question.

>> What are the necessary priviledges to be able to delete a VMS file using the F$SETPRV() lexical?

None. It is impossible to delete a file with the F$SETPRV lexical on matter how hom many privs you throw at it.

Sorry... couldn't resist.

>> I am required to replace the BYPASS priviledge with other priviledges so that I will not have to use the BYPASS priviledge.

And rightly so. BYPASS is scary and should only be used as last resort.

Other have pointed the SYSPRV, or having a UIC under SYSGEN MAXSYSGROUP may be a handy and slightly less dangerous option. ACLS and identifiers are often the cleanest and clearest way to go.

Cheers,
Hein.
0 Kudos
Willem Grooters
Honored Contributor

‎10-09-2008 02:37 AM

‎10-09-2008 02:37 AM

Re: F$SETPRV()

>> to replace the BYPASS priviledge ...

If the application _requires_ BYPASS, it should NEVER have been deployed. Period.

BYPASS is, as Hein said, a last resort, to be used if, and only if, anything else fails. And YOU should be in control. Not some piece of software.
As all have said already, there are alternatives, and the application should have been developed, tested and deployed using the alternative. It should only have the privilege it realy needs on the moment it really needs them.

BYPASS should NEVER be one of them.

If you developed the application yourself, return from your dwellings and take the right route. Use ACL's and identifiers. It's not too late :)

If you purchased the application, do NOT follow the installation manual and use ACL and identifiers as stated. If that works, fine. If not, return the package to the manufacturer to have it done the proper way. Or ban them altogether.

(sorry, couldn't resist either...)
Willem Grooters
OpenVMS Developer & System Manager
0 Kudos
Kenneth Toler
Frequent Advisor

‎10-09-2008 04:21 AM

‎10-09-2008 04:21 AM

Re: F$SETPRV()

I am not familiar with how to use ACLs. Can you show me an example of how one is used to delete files?
0 Kudos
Hein van den Heuvel
Honored Contributor

‎10-09-2008 05:41 AM

‎10-09-2008 05:41 AM

Re: F$SETPRV()

ACL's are not used to delete a file.
The DELETE command is used to delete a file (or a corresponding language function).

ACLs give or take away the right to delete a file.

Read all about it, if you want to learn or give the assignment to someone else who is qualified a capable to do it.

Securtiy manual:

http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/aa-q2hlg-te.HTMl


$HELP HINT SECURITY

Cheers,
Hein.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.