| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 4633.1 | Major security problem | ZUR01::FUEGLISTER | Roland Fueglister, 760-2498 | Wed May 12 1993 09:24 | 19 |
| Help!!
I still expect an answer from DECmcc engineering regarding .0
The questions is:
Is there a workaround like installing the necessary images with "SYSPRV"
priviledge to use the DECmcc "Ping" feature?
Any help will be appreciated.
Best regards,
Roland
|
| 4633.2 | | MOLAR::YAHEY::BOSE | | Wed May 12 1993 13:22 | 11 |
|
To do pings in DECmcc we need to open raw sockets. SYSPRV privilege
is required to open raw sockets. That is why the SNMP AM requires
that it be run with SYSPRV (you need it to receive traps too).
I have tried installing the SNMP AM with privileges, but the creation
of raw sockets still fail, causing the exception "This operation requires
SYSPRV privilege" to be generated. Someone more familiar with UCX may
be able to help you out on this.
Rahul.
|
| 4633.3 | Use the QAR system | RACER::dave | Ahh, but fortunately, I have the key to escape reality. | Wed May 12 1993 17:45 | 7 |
| If you expect a reply, you should file a QAR,
Notes files are not an official support system, and
anything posted here is not required to be responded to.
Anything posted here is clearly on a "Best effort, when we have time"
basis.
|
| 4633.4 | UNIX users don't need privs for a Ping!! | ZUR01::FUEGLISTER | Roland Fueglister, 760-2498 | Thu May 13 1993 08:27 | 20 |
| Hi Rahul,
Thank you for your immediate answer.
As mentioned in .0, it is possible to install the ucx$ping image with
privileges.
As a current workaround, I would propose that a nonprivileged DECmcc user
has to launch the ucx ping command from the DECmcc application interface.
Anyhow, this is a major security problem which must be fixed.
RE:.2 I don't agree that you need SYSPRV to receive traps.
Normally the VMS user "System" creates at system startup a dummy notify to
start the mcc_tcpip_sink process.
Afterwords every nonprivileged VMS user is able to receive Trap notifications.
Roland
|
| 4633.5 | | MOLAR::YAHEY::BOSE | | Thu May 13 1993 11:14 | 26 |
|
Roland,
>>Title: UNIX users don't need privs for a Ping!!
Ping on Ultrix does setuid to root, so it is running with superuser
privileges. But to the ordinary user it is transparent and he can
run it from his account without taking any special action. The SNMP AM
works the same way on Ultrix.
>>As mentioned in .0, it is possible to install the ucx$ping image with
>>privileges.
It should be the same for the SNMP AM, but for some reason opening
of raw sockets still fail. This needs further investigation.
>>Normally the VMS user "System" creates at system startup a dummy notify to
>>start the mcc_tcpip_sink process.
>>Afterwords every nonprivileged VMS user is able to receive Trap notifications.
Pretty clever. Actually, in my original mail I meant to say that you
need SYSPRV to start up the sink. All users need not have SYSPRV to
receive traps subsequently, as you've shown above.
Rahul.
|
| 4633.6 | | 2582::YAHEY::BOSE | | Thu May 13 1993 12:41 | 10 |
|
Actually you need to install the image MCC_MAIN.EXE with
privileges. That is the image which is invoked by "manage/enterprise"
DCL command. All MMs will inherit their privileges from that image
(which again could be looked upon as a security violation).
BTW, you may not be able to install MCC_MAIN with privileges
since it may have been linked with traceback.
Rahul.
|
| 4633.7 | image MCC_MAIN is the problem | ZUR01::FUEGLISTER | Roland Fueglister, 760-2498 | Mon May 17 1993 13:21 | 14 |
| Hi Rahul,
Thank you very much for your further investigation.
I came exactly to the same result: the MCC_MAIN image should be installed with
the appropriate privileges.
Unfortunately the image has been linked with traceback, so we are not able to
do it.
In the meantime I also recognized, that a nonprivileged MCC user needs only
"OPER" privilege to use the directive "Test snmp hostname".
Roland
|