HP OpenVMS Systems

ask the wizard
Content starts here

Tracking insufficient privilege errors? (NOPRIV)

» close window

The Question is:

After a downgrade of security access associated with a user she started
 recieving the error "insufficient privilege or object protection violation" on
 certain files within her user directory.
What privilege should she have to be able to create, edit, delete files within
 her directory?

The Answer is :

  Assuming a typical configuration, no privileges are required.
  The typical file protections and particularly the typical file
  ownership settings -- and ACLs, for more complex security
  requirements -- provide all access that is necessary to write
  entries into the parent directory file and to create new versions
  of existing files is required.
  If appropriate, please ensure that the user owns all of the files
  and all file versions, and also owns the parent directly.  Also
  ensure that the protection masks are set to permit owner access
  to the files.
  To trace the cause of SS$_NOPRIV access-related errors, please enable
  and use the OpenVMS security auditing and security alarm mechanisms.
  When enabled, you will receive audits or alarms with details of the
  specific cause of the SS$_NOPRIV access error.
  The OpenVMS Wizard encourages a review of the OpenVMS security manual.
 NOPRIV,  insufficient privilege or object protection violation
  Facility:     SYSTEM, System Services
  Explanation:  This message can occur under any of the following conditions:
                o A command or program requested a system function that
                  requires a specific user privilege or privileges that the
                  current process does not have.
                o A program image attempted to access, modify, or delete a
                  control area created and owned by a more privileged access
                  mode. Such areas include pages in memory, I/O channels, or
                  timer queue entries.
                o A command or program requested file or volume access that
                  is denied.
                o The requesting process does not have the privilege to read
                  or write to this mailbox. (The protection mask is defined
                  when the mailbox is created.)
                o The flags parameter to $SUSPND has requested suspension of
                  kernel mode, but the caller is not running in executive or
                  kernel mode.
  User Action:  If the message is in response to a command entered
                interactively, verify that the particular command or qualifier
                does not require a specific user privilege or privileges.
                If the message occurs during the execution of a program,
                determine the system service call that resulted in the error.
                Verify that a service or an argument was not used for a
                particular service that requires a user privilege that you
                do not have. Or, verify that you are not attempting to modify
                an RMS file system or system-owned data area or memory page.
                If this message is associated with a vector disabled (VECDIS)
                status code, an ACL on the system's vector capability has
                prevented the process from executing vector instructions.
                In each case, correct the command or program so that you do
                not request the privileged function. If you determine that you
                need the privilege for an application, ask your system manager
                to give you the necessary privilege.
                Verify the file or volume name. Have the owner of the file or
                volume change the protection value.

answer written or last revised on ( 28-AUG-2002 )

» close window