[Info-vax] ACL Protection On An Image
VAXman- at SendSpamHere.ORG
VAXman- at SendSpamHere.ORG
Wed Mar 25 10:33:12 EDT 2009
In article <97944229-d08a-4761-ac50-2bd4268c76f5 at g38g2000yqd.googlegroups.com>, lee_morgan at hotmail.co.uk writes:
>On 25 Mar, 08:20, IanMiller <g... at uk2.net> wrote:
>> On 25 Mar, 02:18, lee_mor... at hotmail.co.uk wrote:
>>
>>
>>
>>
>>
>> > Hello
>>
>> > I am looking for a method to control access to a specific image that
>> > I
>> > have residing on disk (not installed into memory).
>>
>> > I have modified the protection on the image from W:RWE to W:R and now
>> > want to allow access, only via a Rights Identifier.
>>
>> > I would prefer to create an ACL on the physical .exe file but when I
>> > try to do this I am having a few issues.
>>
>> > Firstly, I create the rights identifier that I will use to control
>> > the
>> > access. Then I create the ACL on the executable, using the afore
>> > mentioned rights identifier. Finally I grant the rights identifier to
>> > a
>> > specific user but when they try to run the image, they are not
>> > authorized to execute it.
>>
>> > When creating the ACL, I specified ACCESS=EXECUTE but still no joy.
>>
>> > Any pointers would be grately appreciated.
>>
>> > Maybe I am missing something and you cannot actually use this method.
>>
>> > I've also read about using SUBSYSTEM ACL's but didnt want to make
>> > this
>> > too complicated.
>>
>> > Thanks in advance.
>>
>> > Lee.
>>
>> Note that granting executing only access causes some special
>> behaviour. What happens exactly ?- Hide quoted text -
>>
>> - Show quoted text -
>
>
>Hi and thanks for your comments.
>
>Yes, I ensured the user does have the rights identifier and that they
>logged off and back on but still no joy.
>
>The image now looks like so....
>
>ROBOT.EXE;8 78 15-DEC-2005 14:32:39.97
>[SYSTEM] (RWED,RWED,RWED,R)
> (IDENTIFIER=ROBOT$MANAGER,ACCESS=READ+EXECUTE)
>
>But the user still cannot access the image...
>
>$ robot show robot
>ROBOT $2$GGA0: is not responding: Permission denied.
>%SYSTEM-F-NOPRIV, insufficient privilege or object protection
>violation
>
>$ show proc/rights
>
>25-MAR-2009 11:02:39.69 User: GTHORNTON Process ID:
>00129E7B
> Node: CAMUAT Process name:
>"GTHORNTON"
>
>Process rights:
> GTHORNTON resource
> INTERACTIVE
> REMOTE
> ROBOT$MANAGER
>
>System rights:
> SYS$NODE_CAMUAT
>
>Thanks again in advance.
You are running the image. It appears that the NOPRIV is from the image
attempting access to the device. Is this the Media Robot Utility (MRU)?
The MRU need certain privileges to access the generic SCSI device assoc-
iated with the tape shuffler. If the user does not have the necessary
privileges, it doesn't matter if they can or cannot run the MRU. You'll
need to install the MRU image with privileges to do what you want these
users to do. See
$ HELP ROBOT Privileges
for the necessary privileges to install this image. You may, like I said
in a prior message in this thread, wish to look into protected subsystems
for this.
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG
http://www.quirkfactory.com/popart/asskey/eqn2.png
"Well my son, life is like a beanstalk, isn't it?"
More information about the Info-vax
mailing list