run/uic= does not start process as other user

Tim Nelson · ‎08-09-2004

I am running a detached process but would like it to execute under another user. Below is the run command and switches but the process still runs as "system" not the user "cron". The user named "CRON" is set up with difference quotas in SYSUAF.
I have read and read but cannot find what I am doing wrong. Any ideas ?? Thanks !!!
$ run -
/detach -
/input = admin:[util.cron]cron.com -
/output = admin:[util.cron.log]cron.log -
/error = admin:[util.cron.log]cron.error -
/process = "Cron_DAEMON" - /queue_limit = 30 -
/subprocess_limit = 50 -
/page_file = 10000 -
/time_limit = 0 -
/extent = 1024 -
/file_limit = 50 -
/uic = [CRON] -
/prior=10 -
/authorize -
sys$system:loginout.exe

Uwe Zessin · ‎08-09-2004

Tim,
a username is not the same as a UIC (user identification code). The UIC (a 32-bit value) is used for protection checks, but the username (1 to 12 characters) is used for authentication.

There can be multiple usernames with the same UIC in the SYSUAF.

In the past I used an implementation of CRON that started the user's jobs with a 'SUBMIT/USERNAME'. That has the advantage that this is a completely different process that runs with the correct username, the correct quotas, privileges and rightslist identifiers.

If you start the user's jobs as a subprocesses you should note that they will also share the pooled quotas like PGFLQUO with the master process (CRON).

You might be able to worm around the username problem with one of the newer system services like SYS$PERSONA_?, but I don't have experience with them and the problem of pooled quotas is still there.

.

Tim Nelson · ‎08-09-2004

So what you are saying is a run/detach/uic=[x,x] is not the same as submit/user=username

Right ?

Tim Nelson · ‎08-09-2004

Sorry I know that last statement has a lot of comments that could be written. Let me restate.

Assuming all the other stuff is known. i.e. run/detached and submit to queue are obviously completely different in nature.

submit/user=USERNAME exeutes the process just like the USER entered it themselves. Uses full user envrironment based and SYSUAF entries.

run/uic= executes the process but only uses the defined uic with regards to file security but does not "become" the user completely like the submit/user does.

Sorry for leaving that one so open. :(

Uwe Zessin · ‎08-09-2004

Yes.
Yes.
Yes.
Yes.

Clearer now? ;-)

In older versions of VMS it was easy to do 'SET UIC [g,m]'. Well, you can still do it, but today we have ownership and protections on many objects that it does not really make sense.

Do a 'SHOW LOGICAL/FULL /TABLE=LNM$JOB', for example. I think you can understand that a change of your UIC can easily remove access to your own job logical name table where names like SYS$LOGIN reside.

.

Tim Nelson · ‎08-09-2004

Glad you straitened me out on that one !! :)

Thanks again, over and over.

(as you have figured out by now I am a UNIX guy, now delving into the wonderfull world of VMS)

Uwe Zessin · ‎08-09-2004

Each 'Yes' was supposed to answer one question - I hope I got that right.

You know, there are 3 types of people, those who can count and those who cannot ;-)

There is nothing wrong being a Unix guy. Perhaps, one day, you can help me with a HP-UX question.

.

Tim Nelson · ‎08-09-2004

Yep, I got it.

More than happy to help with HPUX. I have 25 E - RP class servers and have experienced alot of things over the last 12 years.

Let me know if I can ever help.

Thanks !

Antoniov. · ‎08-09-2004

Hi Tim,
I guess you are an unix person so in another thread I posted some link for unix/vms conversion commands.
From unix to vms
http://www.think-forward.com/tips/Ivmsunix.htm
http://www.ctstateu.edu/help/unix/vms2unix.html
http://wwwvms.mppmu.mpg.de/vmsdoc/UNIX_VMS_CMD_XREF.HTML
From vms to unix
http://www.bc.edu/offices/ats/rits/research/hardware/howto/usingunix/vmstounix/
http://www.mssl.ucl.ac.uk/www_computing/buns/vms_to_unix.html

About difference between submit and run/uic, submit limit numer of job (may be 1 job for time too) while run/uic execute always the process.
Submit add a new process to a batch queue and if batch is busy, process stay holding until queue become avaiable; when batch queue is created you can define the max # of job:
$ INIT/QUEUE /BATCH/JOB=#

Antonio Vigliotti

Antonio Maria Vigliotti

Martin Vorlaender · ‎08-09-2004

Uwe wrote:
>>>
a username is not the same as a UIC (user identification code). The UIC (a 32-bit value) is used for protection checks, but the username (1 to 12 characters) is used for authentication.

There can be multiple usernames with the same UIC in the SYSUAF.
<<<

To extend that a bit: there's a translation table between UICs and usernames in the file RIGHTSLIST.DAT (normally in SYS$SYSTEM:).

If you have access to that file, using the AUTHORIZE utility you can list the translations using

UAF> SHOW /IDENTIFIER /USER=* ! sorted by username
UAF> SHOW /IDENTIFIER /USER=[*,*] ! sorted by UIC

HTH,
Martin

Uwe Zessin · ‎08-09-2004

No, I don't think so. The rightslist contains a mapping between UIC/general identifer (32-bit values) and alphanumeric names (identifiers) - take a dump of RIGHTSLIST.DAT.

While the online help says that you grant an identifier to a user it is technically incorrect. An identifier is assigned to a UIC value - see attached dialogue.

A UIC is a 32-bit value with the MSB=0. A general identifier is a 32-bit value with the MSB=1 [>=80000000(16)]. That is how resource identifiers can work:
- it is a general identifier with the RESOURCE attribute
- the owner of a directory/file is now the general identifier, not a UIC

.

Uwe Zessin · ‎08-09-2004

Oh, sorry. Forgot to attach the file.

.

Antoniov. · ‎08-09-2004

After details about UIC, system ident, etc, I guess Tim may be confused.
Tim,
when I add a new user, to avoid any confusion, I always assign a new UIC and assign new identifier with same UIC.
UAF>ADD newuser /UIC=[g,i]
UAF>ADD/ID newuser /VALUE=UIC:[g,i]
In this way I work in same manner of unix and I see owner of file as username.
I manage little system (less than 100 user) and this simplify my work.

Antonio Vigliotti

Antonio Maria Vigliotti

Uwe Zessin · ‎08-09-2004

Interesting. My experience is that AUTHORIZE automatically adds a UIC-based identifier as long as there is none yet in RIGHTSLIST. And it will even add an identifier for the UIC group if the user's account name does not map to an existing identifier:

UAF> add xyz/uic=[414,414]
%UAF-I-ADDMSG, user record successfully added
%UAF-I-RDBADDMSGU, identifier XYZ value [000414,000414] added to rights database
UAF> add xyz2/uic=[414,414]/account=zxy
%UAF-I-ADDMSG, user record successfully added
%UAF-E-RDBADDERRU, unable to add XYZ2 value [000414,000414] to rights database
-SYSTEM-F-DUPIDENT, duplicate identifier
%UAF-I-RDBADDMSGU, identifier ZXY value [000414,177777] added to rights database
UAF>

.

Martin Vorlaender · ‎08-09-2004

You're right, of course.

I once saw a system where every account was explicitely copied from the default account - without assigning a new UIC. So every user came with a UIC of [200,200]. Not a pretty sight...

What I meant to say: On a properly administered machine, there is a mapping between rights identifiers (equalling usernames) and UICs.

If you do a $ DIRECTORY /OWNER, every username you see is really a UIC seen through that mapping.

cu,
Martin

Jan van den Ende · ‎08-09-2004

Uwe,

yes, that is the current behavior. And I am glad they changed it! Until not-too-long ago, creating a new username with an UIC that had already an associated identifier renamed the value of the identifier to the NEW username, leaving the EXISTING username without an associated identifier value.

Since I have noticed many posters here running older versions of VMS, I think this warning still has value to a lot of people!

But yes, it is good practise to make sure the value you are about to assign is still free.
And maybe in Antonio's case of ~100 users, conflicting assignments can be fairly easily resolved, but imagine 10K + users, in a rather security-sensitive environment like ours...
That makes it absolutely ESSENTIAL to have stickt procedures, with validation before action, in place.

Jan

Don't rust yours pelled jacker to fine doll missed aches.

Uwe Zessin · ‎08-09-2004

Jan,
as far as I can tell this has never been the case (and I started using identifier on VAX/VMS V4.x), but I might mis-understand you.

Assume you have user U1 with UIC: [2,1] and identifier U1 with the same UIC.

Now you create user U2 with UIC: [2,1], too. I have never ever seen that identifier U1 was renamed to U2 as you claim.

The problem starts when the system manager realizes his error and changes the UIC of user U2 to another value, lets say [3,1]. In this case the system grabs identifier U1 and changes its UIC to [3,1]. Great!

Now you have:
- user U1, UIC: [2,1], no identifier for UIC:[2,1]
- user U2, UIC: [3,1]
- identifier U1, UIC=[3,1]

The correct way would be:
UAF> modify U2/uic=[3,1]/nomodify_identifier
UAF> add/identifier U2 /value=uic=[3,1]

.

Antoniov. · ‎08-10-2004

Jan,
even I have little system, because I'm lazy I wrote a little DCL procedure to add new user. So I don't search for avaiable UIC and I create home directory too with standard LOGIN.COM; also I set pwdlifetime and temporary standard password /PWDEXPIRED.
Then my user enter into system and change his own password.
I never meet problem about UIC or similar.

Antonio Vigliotti

Antonio Maria Vigliotti

Martin Vorlaender · ‎08-10-2004

Antoniov,

you mean like SYS$EXAMPLES:ADDUSER.COM ?

;-)

cu,
Martin

Antoniov. · ‎08-10-2004

No Martin,
I wrote a simple standard procedure; first of this because I use semigraphical environment to make all system feature.
I release theese utility to my customers that are very beginner users.
They can add a new user among 3 profiles, enable/disable user, force temporary password when somebody forgot it and a few other options.
Obviously I read ADDUSER.COM before, some years ago.

Antonio Vigliotti

Antonio Maria Vigliotti

Tim Nelson · ‎08-10-2004

Thanks to all for all the info. I do believe I have got it.

In summary:
If I wish to execute a process with the environment of another user ( i.e. users, quotas, login dir, username, etc) I must submit via a batch with the /user switch.

Running /detatched will only allow /uic= which would cause the process to run with a specific uic and its file security but not it's environment ( i.e. quotas, login dir, etc )

Wim Van den Wyngaert · ‎08-11-2004

Tim,

Also check http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=630742 for simular problems.
Also note that some logicals like sys$scratch are missing. Thus, some programs may be unable to run.
Just do submit/user ... and hope "su -"
gets implemented someday.

Wim

Wim

Uwe Zessin · ‎08-11-2004

I think one can emulate 'su -' with HGLOGIN to a certain level:
http://vms.process.com/scripts/fileserv/fileserv.com?HGLOGIN

.

Wim Van den Wyngaert · ‎08-11-2004

Uwe,

But if you use this freeware who is responsible for support ? We now pay lots of money to HP to have support. The "su -" should be within the support contract. Otherwise it is cheaper to use a free OS.
(I only use freeware such as zip and dfu for non-essential things)

Wim

Wim

Uwe Zessin · ‎08-11-2004

Have you logged a call with HP so they know that you want 'su -'?

.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

run/uic= does not start process as other user

run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user

Re: run/uic= does not start process as other user