If activating the feature in adaauth.ini with parameter ACTION = YES the USER_ROLE in adarbac.ini using UserID = * is changed to the real Unix User and the utility adarep (example: adarep dbid=3) gets error ADAREP-E-ACNOPERM, Security violation. Permission denied, even the Username is identical to the Unix Users entry. We are expecting the "effective" user ID to be used for authorization purposes; e.g. "ADA" - the value of getpwuid( geteuid() ). The audit log shows that the name associated with the "current login activity" is being used for authorization purposes; e.g. "andreas.heitzer" - the value of getlogin(). BACKGROUND INFORMATION ========================================================== Processing Logic: Authorization for Adabas Utilities uses as user ID for authorization purposes: a) The name associated with the "current login activity"; e.g. "andreas.heitzer" - the value of getlogin(). b) When the name is not available, for example in batch, - the name associated with the "real" user ID of the process; e.g. the value of getpwuid( getuid() ). The reasoning behind this processing logic, is the desire to ensure accountability; e.g. who is the "persona" executing the function. LINKS: --------- https://www.gnu.org/software/libc/manual/html_node/Process-Persona.html#Process-Persona http://pubs.opengroup.org/onlinepubs/007904875/functions/getlogin.html The Chapter "The Persona of a Process" in the The GNU C Library documentation states: At any time, each process has an "effective" user ID, an "effective" group ID, and a set of "supplementary" group IDs. These IDs determine the privileges of the process. They are collectively called the persona of the process, because they determine “who it is” for purposes of access control. The description of the - getlogin() function from OpenGroup APPLICATION USAGE Three names associated with the current process can be determined: getpwuid( geteuid() ) shall return the name associated with the __effective__ user ID of the process; getpwuid( getuid() ) shall return the name associated with the __real__ user ID of the process. getlogin() shall return the name associated with the __current log---
28-06-2021: itrac number was wrong...
|Created on Brainstorm||06.07.2017 04:38 pm|