[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference iosg::all-in-1_v30

Title:*OLD* ALL-IN-1 (tm) Support Conference
Notice:Closed - See Note 4331.l to move to IOSG::ALL-IN-1
Moderator:IOSG::PYE
Created:Thu Jan 30 1992
Last Modified:Tue Jan 23 1996
Last Successful Update:Fri Jun 06 1997
Number of topics:4343
Total number of notes:18308

3672.0. "Does submission to Oa$script require major privs?" by AIMTEC::SIMPSON_L () Fri Dec 17 1993 01:17

    Hi,
    
    My customer is running ALL-IN-1 V3.0-1.  He has an application written for
    him  by someone else.  This application has a Lib$spawn in its code.  He
    recently discovered that non-prived users could not run the application
    because they wer told they had no privs for the attempted opperation when
    the Lib$spawn was attempted.  Here is what he wants to do:
    
    1.  Submit a script to the script symbiont which calls
    a command procedure using GET OA$DCL="@COMMPROC"
    2.  This procedure runs the application with the Lib$spawn in it.
    
    He and I discovered that if the account which submits the script does not
    have one of 3 privs: Sysprv, Setprv or Bypass, the procedure stops with a
    "no priv for attempted opperation" error when it hits the Lib$spawn.
    
    If the script is run interactively, things work fine.  But, the customer
    would rather submit it to the script symbiont.
    
    We set up a test script and comm file which I list below.  My comm file
    does not issue a Lib$spawn but does issue a Dcl spawn command to get a
    directory listing.  We get the same results with our test case if the
    account submitting the script does not have one of the above 3 listed
    privs.
    
    Can anyone help?  Is there a workaround where he could still use the script
    symbiont to submit the script but not have to give non-prived users access
    to some rather powerful privs?
    
    Thanks very much!!!
    
    !JEFF.SCP
    GET OA$DCL="@JEFF"
    .EXIT
    
    
    $!JEFF.COM
    $CALL/OUT=GRITS5:[SIMPSON_L.DIA]A.LOG JEFF
    $JEFF: SUBROUTINE
    $SET VERIFY
    $SPAWN DIR
    $ENDSUBROUTINE
    $EXIT
    
    
    When Jeff.scp is submitted to the Oa$script queue, it fails
    with a "no privilege for attempted opperation"
    in the a.log file just after the spawn command.
    If it is run interactively, it works fine.
    
    Help!
    
    Laurie
T.RTitleUserPersonal
Name		DateLines
3672.1no help but same observationSUOSWS::HAMANNFri Dec 17 1993 08:268
    Hi,
    
    I cannot help but notice the same problem. 
    
    The subprocess cannot even run with the debugger in a seperate process.
    There is a lot broken with the OA$SCRIPT queue!
    
    Klaus
3672.2AIMTEC::SIMPSON_LFri Dec 17 1993 18:0918
    Hi again,
    
    Some more info and questions.
    
    Could it be that when running the test script and comm file I showed in .0
    that the Script Symbiont is checking the user's privs of the account which
    submitted to it instead of the privs it is installed with?
    
    I checked to see what the Oa$script_symbiont.exe, Imp$impshr.exe and
    Imp$impshrp.exe images were installed with.  They appear to be correct. In
    fact, the Oa$script_symbiont.exe is installed with sysprv, one of the three
    which will make it work from the user's account.
    
    Any thoughts/comments?
    
    Thanks very much,
    
    Laurie
3672.3Isn't that the way it works?IOSG::PYEGraham - ALL-IN-1 Sorcerer's ApprenticeTue Dec 21 1993 12:1514
    The script symbiont uses all of its privileges only in order to pretend
    to be the person it is running the script for. It pretends to be that
    person very accurately, including only allowing itself to have that
    users privileges. If it didn't do this, then I could submit a script
    that said GET OA$DCL="DELETE SYS$SYSTEM:*.*.*", which wouldn't be a
    good idea!
    
    I think that the problem must be that the script you are trying to
    execute can't be seen by the symbiont, or the user. Does it have W:RE?
    
    Also, note that the user's LOGIN.COM isn't run, so any locally defined
    symbols or logicals aren't available.
    
    Graham
3672.4Equally, no helpIOSG::ALLANDerek, DTN 830-3669Tue Dec 21 1993 14:0120
Hi,

There's nothing wrong with the installation of the script symbiont, it 
fails in the same way you describe on our system too.

I can't see what's wrong. I notice that one can create a detached process
via the same method, but not a sub-process.

No doubt the SYSTEM-F-NOPRIV is being returned by the DCL SPAWN's indirect 
call to SYS$CRPRC, but the VMS documentation is not very helpful on 
the subject of which circumstances could lead to NOPRIV being returned.

Sorry, but it looks like a restriction for now: You can't a spawn sub-process 
from ALL-IN-1's OA$DCL process when running in the script symbiont.

As a workaround you could submit ALL-IN-1 to batch, and run ALL-IN-1
/noinit to execute the script. It's not as efficient, but it works.

Cheers,
Derek
3672.5IOSG::PYEGraham - ALL-IN-1 Sorcerer's ApprenticeTue Dec 21 1993 14:336
    re .3
    
    I think I was replying to .2 in isolation, and not having read .0 and
    .1, so please ignore me!
    
    Graham