[Info-vax] Restrict the use of SUBMIT/USER= to one particular user.

Joe joslovefun at gmail.com
Tue Nov 8 07:37:04 EST 2016 

On Tuesday, November 8, 2016 at 10:39:49 AM UTC+1, Roy Omond wrote:
> On 08/11/16 09:02, Joe wrote:
> > On Monday, November 7, 2016 at 3:13:25 PM UTC+1, Bob Gezelter wrote:
> >> On Monday, November 7, 2016 at 4:52:47 AM UTC-5, Joe wrote:
> >>> We have a set of application users who submit some application batches on a specific user with the command SUBMIT/USER=APP$MGR. To perform this, the application users are provided with CMKRNL privilege. I notice at times some users use this privilege and submit some jobs under SYSTEM user. What would be the best way to restrict this?
> >>> I'm thinking of a captive menu to get all the required details and validate the user part and then submit in the background, is this a good idea?
> >>> Do we have any other option to restrict this easily?
> >>
> >> Joe,
> >>
> >> Create a separate image that does the actual SUBMIT. That image is installed with the CMKRNL privilege.
> >>
> >> Thus, when the user invokes that image, they are able to do the SUBMIT/USER, but not otherwise. When I did this a while back for a client, I also imposed the requirement that the privileged program checked to see if the user held a Rights Identifier related to the Username that was being submitted. For additional security, protect the privileged image so that the User cannot even access it unless they hold a specific Rights Identifier.
> >>
> >> That protection scheme should satisfy most auditors.
> >>
> >> - Bob Gezelter, http://www.rlgsc.com
> >
> > Many Thanks Bob and everyone for your inputs.
> > I will try to create an image and install it with CMKRNL and then protect it with ACL's.
> 
> A quick-n-easy way to start would be to copy SUBMIT.EXE to, say, 
> XUBMIT.EXE, and add a suitable entry (use VERB to get the current SUBMIT 
> command language definition, and edit accordingly) to
> DCLTABLES.  Appropriate security setting can then be added to
> the image file (e.g. AUDIT entries for successful access etc. etc.)

Thank you once again, 
I tested this on my test machine and looks like I'm missing something here.

Test_Joe> define/system/exe pni_submit DISK$USER:[SYSMGT.JOE.PNI_SUBMIT]pni_submit.exe
Test_Joe> mc authorize add/id pni_submit_exec
%UAF-I-RDBADDMSG, identifier PNI_SUBMIT_EXEC value %X80010183 added to rights database !!!!! Yet to configure ACL's
Test_Joe> install add pni_submit /open/header/priv=(cmkrnl)
Test_Joe> set command pni_submit.cld
Test_Joe> create test.com
$write sys$output f$edit(f$getjpi(0, "username"), "trim")
$exit Exit
Test_Joe> pni_submit test.com/noprint
%CLI-F-SYNTAX, error parsing 'BURST'
-CLI-E-ENTNF, specified entity not found in command tables

*********

.CLD: (Got the CLD file from SYS$SYSDEVICE:[SYS0.SYSCOMMON.SYSUPD]submit.cld)
define type allowed_user
    keyword system, default

define verb pni_submit
    image pni_submit
    parameter p1,prompt="File",value(required,list,impcat,type=$infile)
    .
    .
    .
    qualifier user,     value(TYPE=allowed_user), DEFAULT

More information about the Info-vax mailing list