- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: INSTALL installed with privileges?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-02-2006 09:11 PM
02-02-2006 09:11 PM
INSTALL installed with privileges?
I would expect a tool like that to rely on the process privileges of the system manager!
Bart Zorn
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2006 04:48 AM
02-03-2006 04:48 AM
Re: INSTALL installed with privileges?
maybe to allow users without CMKRNL to use INSTALL LIST commands to obtain information about installed images etc. ?
To actually install any images, you need CMKRNL anyway (INSTALL checks for that).
Volker.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2006 06:55 AM
02-05-2006 06:55 AM
Re: INSTALL installed with privileges?
The INSTALL utility is documented to require CMKRNL privilege. Some of the functions require other privileges. For example, LIST requires AUDIT privilege.
Rather than stipulate the specific combinations of privilege required for each command, the image is installed with the complete set. Some commands (like LIST) are permitted even for unprivileged users, others require CMKRNL.
Naturally INSTALL will work without being installed (otherwise, how could it get installed?), but then relies entirely on the privileges of the process which activated it, and will require more than just CMKRNL for some functions. To see what INSTALL does without being installed with privileges try:
$ MCR INSTALL.EXE;
INSTALL> /LIST
-SYSTEM-F-NOAUDIT, operation requires AUDIT privilege
(note that in this mode it uses the archaic command syntax which requires all commands to start with "/").
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2006 06:13 PM
02-05-2006 06:13 PM
Re: INSTALL installed with privileges?
Audit = may direct audit to system security audit log
What has install list to do with that ?
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2006 07:03 PM
02-05-2006 07:03 PM
Re: INSTALL installed with privileges?
And indeed, requiring AUDIT privilege for /LIST does not seem appropriate. Something like SYSPRV or CMKRNL looks more to the point.
Thanks for your thoughts!
Bart
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2006 07:40 PM
02-05-2006 07:40 PM
Re: INSTALL installed with privileges?
AUTHORIZE : AUDIT
MAIL_SERVER : SYSPRV
NCP : AUDIT (strange, we use NCL but NCL is not installed with privs while showing the same kind of info)
PHONE : SYSNAM, OPER
SET : BYPASS
SYSGEN : AUDIT
SYSMAN : AUDIT
TCPIP$FTP_CLIENT : OPER, PSWAPM (never saw this one before : may change process swap mode)
...
It seems that the author decides who can use the image for free.
This is what the manual says about AUDIT :
The AUDIT privilege allows software to append audit records to the system security audit log file using one of four system services: $AUDIT_EVENT, $CHECK_PRIVILEGE, $CHKPRO, or $CHECK_ACCESS. In addition, the $AUDIT_EVENT system service allows all components of an audit message to be specified. As a result, this privilege permits the logging of events that appear to have come from the operating system or a user process.
Not quite correct I would say.
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2006 10:57 PM
02-05-2006 10:57 PM
Re: INSTALL installed with privileges?
well, the use of AUDIT makes sense to me:
"The AUDIT privilege allows software to append audit records to the system security audit log file using one of four system services: $AUDIT_EVENT, $CHECK_PRIVILEGE, $CHKPRO, or $CHECK_ACCESS"
This is exactly what you are doing when AUDIT is SET for use of privs for access, or for signaling access failure etc.
So, makes sense after all?
my EUR 0.02
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-05-2006 11:10 PM
02-05-2006 11:10 PM
Re: INSTALL installed with privileges?
So, I need AUDIT to use authorize so it can write messages to the audit file.
But when I have a file access failure and audit is enabled for file access failures, an audit message is written without requiring AUDIT from the process that had the active image.
?
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2006 01:35 PM
02-06-2006 01:35 PM
Re: INSTALL installed with privileges?
>can use the image for free.
Precisely! For example: Normally an unprivileged user cannot get information about other processes through (say) $GETJPI. But the SHOW SYSTEM command can display that (privileged) information for any unprivileged user. Why? Because SHOW.EXE is installed with, among other things, WORLD privilege.
Installing an image with privilege allows you to permit unprivileged users to perform privileged tasks in a controlled, and, hopefully, safe manner. Typically the image needs to explicitly enable and disable privilege as required to prevent loopholes where privilege can be exploited.
So, INSTALL will allow an unprivileged user to issue a LIST command and get output, BUT it won't allow the same unprivileged user to INSTALL ADD an image. INSTALL checks for privileges for some operations, but not for others.
>But when I have a file access failure
>and audit is enabled for file access
>failures, an audit message is written
>without requiring AUDIT from the process
>that had the active image.
Yes, the code thread issuing the message is either executing in a privileged image, or is in kernel mode, where all privileges are enabled. The important thing is entry into privileged images or modes is controlled to prevent abuse.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2006 06:07 PM
02-06-2006 06:07 PM
Re: INSTALL installed with privileges?
>can use the image for free.
And if the author decided to give it for free anyone can do it (show sys), if not you need privs (show proc).
If the rule is that you need privs for watching processes not belonging to you, show sys should adjust the output too. A bit like decservers that have even help adjusted according to privs.
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2006 06:46 PM
02-06-2006 06:46 PM
Re: INSTALL installed with privileges?
I have seen several other lines in VMSIMAGES.DAT which raised my eyebrows, but the one for INSTALL made me post the question.
Regards,
Bart Zorn