[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference azur::mcc

Title:	DECmcc user notes file. Does not replace IPMT.
Notice:	Use IPMT for problems. Newsletter location in note 6187
Moderator:	TAEC::BEROUD

Created:	Mon Aug 21 1989
Last Modified:	Wed Jun 04 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	6497
Total number of notes:	27359

4384.0. "Security violation on MCC_TARGET_INST_MIR.DAT" by LICAUS::LICAUSE (Al Licause (264-4780)) Wed Jan 13 1993 19:59

    I'm trying to set up limited access to DECmcc to specific users and am
    getting a security violation on the MCC_TARGET_INST_MIR.DAT.  Looks as
    though the user is attempting to change something either on a MAP or 
    add a new entity.  
    
    Can someone tell me what actions would require WRITE access to this
    file?
    
    thanks,
    Al
    
    
    Security alarm (SECURITY) and security audit (SECURITY) on node, system id: xxxxx / Attempted file access
    Event time:             12-JAN-1993 00:00:01.75
    PID:                    2060053E        
    Username:               xxxxxxxx
    Image name:             $7$DUA2:[SYS3.SYSCOMMON.][SYSEXE]MCC_MAIN.EXE;1
    Object name:            _$7$DUA8:[MCC]MCC_TARGET_INST_MIR.DAT;1
    Object type:            file
    Access requested:       READ,WRITE
    Status:                 %SYSTEM-F-NOPRIV, no privilege for attempted operation

T.R	Title	User	Personal Name	Date	Lines
4384.1	Name indicates Targeting	TOOK::MINTZ	Erik Mintz	`Wed Jan 13 1993 21:49`	2
	Until someone who knows better comes along, my guess is it has to do with targetting notification.
4384.2	notification services is right	GOSTE::CALLANDER		`Tue Jan 19 1993 10:15`	7
	assign and deassign target should be the only ones requiring write access to the instance database. The only thing I am unsure of is when you do a read using the mcc_mir routines does it automatically open it for write regardless of the fact that it is a read request? But notification services are the only one who access that database.
4384.3	The default is read/write repositories	TOOK::GUERTIN	MCC Managing everything for everyone everywhere	`Tue Jan 19 1993 10:36`	8
	The mcc_mir_ routines do open repositories as Read/Write. The DNS Local MIR routines use private routines to specify read-only and read-write repositories, so they do not have this problem. If targetting is a security issue, then we need to investigate the use of the targetting database, and whether it should also use read-only repositories. -Matt.
4384.4	Thanks	LICAUS::LICAUSE	Al Licause (264-4780)	`Tue Jan 19 1993 17:16`	19
	In the real world, I suspect that this would not be much of an issue... It's really not a big issue for us either,....only a curiosity. We have created an on-line DECmcc demo capability and want to allow wide access, however, we don't want users to be able to modify databases. To much effort is involved in creating maps and setting up the environment. In the real world, it might become an issue if either multiple users have full access or many users have limited access. If the later, it would then become, or should become no more than an annoiance. Perhaps someone else would have another opinion.... IN either case, thanks very much for the additional information. Al
4384.5	Just clone the MIR's and MAPS and define a few logicals.	FARMS::LYONS	Ahh, but fortunately, I have the key to escape reality.	`Tue Jan 19 1993 19:41`	7
	If what you want is a DEMO system, then do what the DECmcc demo kit does and clone the MIR's and MAP files, and define some logicals so everything works right. and who cares if if the files get changed. Then, when you have a new MIR/Map that you want available to the demo, just trash the old demo files and replace them with the new ones. You can play with alarms, add entities to the map, play lots of games, and it does not disrupt your production environment at all.
4384.6	nonprivileged user account, but only with DECdns	ZUR01::FUEGLISTER	Roland Fueglister, 760-2498	`Thu Jan 21 1993 10:45`	50
	RE.: .3 / The mcc_mir_ routines do open repositories as Read/Write I experienced the following on this subject (BMS V1.2.3) as a "Read only user": FCL> DIR TARGET DOMAIN * or as well the equivalent IMPM command --> Read/Write access violation on MCC_TARGET__MIR.DAT files FCL> SHOW DOMAIN domainname RULE ALL CHAR or as well the equivalent IMPM command --> Read/Write access violation on MCC_ALARM__MIR.DAT files IMPM command GRAPH STATISTICS --> Read/Write access violation on MCC_PA__MIR.DAT files FCL> SHOW RECORDING class * PARTITION=,IN DOMAIN=domainname --> Read/Write access violation on history files TSAM GETCHAR utility --> Read/Write access violation on MCC_TS_AM__MIR.DAT files Beside the above mentioned examples there are a lot of unseen Read/Write accesses which keeps the audit process busy!! here is just an example: DCL>MANAGE/ENTERPRISE/INERFACE=DECWINDOWS --> Read/Write access on MCC_DNS_*.DAT files Summary: creating a DECmcc "Read only account" using the local MIR is almost not possible. I would like to see a remark in the release notes regarding nonprivileged user accounts and Local MIR/DECdns disadvantage/advantage. Roland
4384.7		TOOK::SWIST	Jim Swist LKG2-2/T2 DTN 226-7102	`Thu Jan 21 1993 10:59`	6
	The MIR code I just looked at attempts to open repository files read/write, and then if that fails do to a privilege problem, tries again read-only. This was Ultrix MIR code. Is this only a VMS MIR problem?
4384.8	Let's QAR it	TOOK::GUERTIN	MCC Managing everything for everyone everywhere	`Fri Jan 22 1993 08:16`	7
	Jim, Since the original note was for VMS, I assumed that we were discussing the VMS MIR. Failing over to Read-only access on the file open sounds reasonable for the VMS implementation. I'll QAR it. -Matt.