[comp.sys.dec] Installing privileged images

glamdrng@pnet51.cts.com (Rocky Lhotka) (05/31/89)

Does anyone know how to install an image requiring WORLD privs?  I have a
program which runs fine from my account (with WORLD) and is installed with
/PRIV=WORLD/OPEN/HEAD/SHARE but when run from a non-privileged account it does
not function...  Thanks in advance for any help!!

Rocky

UUCP: {amdahl!bungia, uunet!rosevax, chinet, killer}!orbit!pnet51!glamdrng
ARPA: crash!orbit!pnet51!glamdrng@nosc.mil
INET: glamdrng@pnet51.cts.com

bcw@rti.UUCP (Bruce Wright) (06/01/89)

In article <729@orbit.UUCP>, glamdrng@pnet51.cts.com (Rocky Lhotka) writes:
> Does anyone know how to install an image requiring WORLD privs?  I have a
> program which runs fine from my account (with WORLD) and is installed with
> /PRIV=WORLD/OPEN/HEAD/SHARE but when run from a non-privileged account it does
> not function...  Thanks in advance for any help!!
 
I assume you mean on VMS ... anyway.  If you have installed the image as
shown above, then it should work (give you WORLD privilege when it's run).
However, there are a few things you need to watch out for:

    1.	The image may need things besides WORLD.  For example, NETMBX and
	TMPMBX are very popular privileges (lots of programs break if they
	don't have them).  Some installations don't give the low-level
	users even NETMBX and TMPMBX.  Likewise, there may be other
	privileges you have that the program is taking advantage of without
	your knowledge.  Suggest you do SET PROCESS /PRIV=(NOxxx, NOyyy, ...)
	(where xxx and yyy and ... are your various privileges), eliminating
	your privileges one-by-one until you find the minimal set that the
	program will run with.  Then install the program with those privs.

    2.	Likewise, it may need additional quota.

    3.	Also, it may be trying to access protected objects.  WORLD doesn't
	give you access to all the files on the system (for example), it
	just lets you manipulate all the processes on the system.  You could
	also try the elimination process described on #1 by installing it
	with all possible privileges and cutting them down to find the
	minimum set.  This isn't as bad as it seems since you can usually
	chop double handfulls of them at a time for the first few cuts.
	NOTE:	This exercise is not *quite* the same as the one above
		because you are running on a different UIC and have a
		different rightslist.

    4.	You may also need to check whether the program does anything that
	is implicitly qualified by all or part of the UIC - such as 
	attaching to a group global event flag cluster.  Running the
	program on a different UIC, you might have enough privilieges but
	be trying to attach to objects that just don't exist.

These are just a few random thoughts ... perhaps you could describe
exactly what error messages you get from the program and the sort of
thing it's trying to do (this might help focus the problem determination
somewhat).

						Bruce C. Wright

cole@sas.UUCP (Tom Cole) (06/08/89)

In article <2993@rti.UUCP>, bcw@rti.UUCP (Bruce Wright) writes:
> In article <729@orbit.UUCP>, glamdrng@pnet51.cts.com (Rocky Lhotka) writes:
> > Does anyone know how to install an image requiring WORLD privs?  I have a
> > program which runs fine from my account (with WORLD) and is installed with
> > /PRIV=WORLD/OPEN/HEAD/SHARE but when run from a non-privileged account it does
> > not function...  Thanks in advance for any help!!
>  
> I assume you mean on VMS ... anyway.  If you have installed the image as
> shown above, then it should work (give you WORLD privilege when it's run).
> However, there are a few things you need to watch out for:
> 
> 						Bruce C. Wright

Just to add my own two cents worth, something that bit us on this was the
way you form the image name when you run the file.  If you specify an explicit
version number on the filename, even if it is the correct one that matches
the known file entry, then the system will not open the file using the known
file entry information, which means among other things that you won't get
the elevated priveleges when you run the program.  We found this because an
overly-helpful menu program tried to use fully qualified file names when
running images, and it disabled privileges, sharing, etc.

Hope this helps.

Tom Cole
SAS Institute

Declaimer:  Othello