[Info-vax] Restrict the use of SUBMIT/USER= to one particular user.
Bob Koehler
koehler at eisner.nospam.decuserve.org
Tue Nov 8 05:45:07 EST 2016
In article <98a33741-2af7-449d-8b1a-ee1527b0b8c6 at googlegroups.com>, Joe <joslovefun at gmail.com> writes:
> On Monday, November 7, 2016 at 3:13:25 PM UTC+1, Bob Gezelter wrote:
>> On Monday, November 7, 2016 at 4:52:47 AM UTC-5, Joe wrote:
>> > We have a set of application users who submit some application batches =
> on a specific user with the command SUBMIT/USER=3DAPP$MGR. To perform this,=
> the application users are provided with CMKRNL privilege. I notice at time=
> s some users use this privilege and submit some jobs under SYSTEM user. Wha=
> t would be the best way to restrict this?=20
>> > I'm thinking of a captive menu to get all the required details and vali=
> date the user part and then submit in the background, is this a good idea?=
> =20
>> > Do we have any other option to restrict this easily?
>>=20
>> Joe,
>>=20
>> Create a separate image that does the actual SUBMIT. That image is instal=
> led with the CMKRNL privilege.
>>=20
>> Thus, when the user invokes that image, they are able to do the SUBMIT/US=
> ER, but not otherwise. When I did this a while back for a client, I also im=
> posed the requirement that the privileged program checked to see if the use=
> r held a Rights Identifier related to the Username that was being submitted=
> . For additional security, protect the privileged image so that the User ca=
> nnot even access it unless they hold a specific Rights Identifier.
>>=20
>> That protection scheme should satisfy most auditors.
>>=20
>> - Bob Gezelter, http://www.rlgsc.com
>
> Many Thanks Bob and everyone for your inputs.=20
> I will try to create an image and install it with CMKRNL and then protect i=
> t with ACL's.
Start out by setting up the protection so that the users who need to
run it have E access, but not R. For a VMS executable, E is a subset
that allows the user to run the image, but not copy or debug it,
which would require R. So if there are any issues inside it, they
don't have the tools to find them.
More information about the Info-vax
mailing list