Path: utzoo!utgpu!water!watmath!clyde!rutgers!ucla-cs!zen!ucbvax!CITHEX.CALTECH.EDU!carl From: carl@CITHEX.CALTECH.EDU (Carl J Lydick) Newsgroups: comp.os.vms Subject: Re: BACKUP under VMS 4.6 needs PHY_IO !?!?! Message-ID: <880106185356.00b@CitHex.Caltech.Edu> Date: 7 Jan 88 03:11:18 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The ARPA Internet Lines: 70 > We observed the following problem under VMS 4.6: > > using BACKUP for saving files on tape (for example) by an non-privileged user, > the user gets this obscure error message : > > %BACKUP-F-LABELERR, error in tape label processing on MU:[]FOOFOO.BCK; > -SYSTEM-F-BADPARAM, bad parameter value. > > We then asked the TSC center. > This is a well known bug under VMS 4.6 they said. > > They said BACKUP currently needs the privilege PHY_IO ! That's odd. We've been running VMS 4.6 for over a month, don't have BACKUP INSTALLed at all, and haven't seen this problem. The account from which we do image backups of our disks every week has only TMPMBX, NETMBX, and BYPASS privs (the last of these is so that we can backup ALL the files on the disk). We have two STC tri-density tape drives hooked up to a SYSTEMS INDUSTRIES controller in such a way that they look like TU45's, but are on the UNIBUS, and use a driver written by SI. > There are currently two ways to handle this problem > (there is no patch available - they said) : > > a) all users who want to use BACKUP should get this privilege (PHY_IO) ???!! > > b) install BACKUP with this privilege (PHY_IO) > > We decided to use solution b) ! > Unfortunately then BACKUP also refuses to work (even when all privileges are > turned on, like the following command for our daily backup operations): > > $ BACKUP /IGNOR=INTERL /REWIND /FAST /RECORD /DENS=6250- > /JOU=THD$OPER1:[BACKUP]BACKUP14.BJL.1 - > USER02:[*...] /SINCE=BACKUP MUA0:6JANBAK.BCK > %DCL-W-ACTIMAGE, error activating image ENCRYPSHR > -CLI-E-IMGNAME, image file DUA0:[SYS0.][SYSLIB]ENCRYPSHR.EXE;3 > -SYSTEM-F-PRIVINSTALL, shareable images must be installed to run privileged > image > > Image SYS$LIBRARY:ENCRYPSHR.EXE must also be installed with that privilege! > > > --> I don't like either solution! > > Did anyone out there in netland have the same problems (or are you always using > the system account for BACKUPs) ? > > Did you come up with a better/different solution? I could be wrong, but I don't think you have to INSTALL ENCRYPSHR.EXE with privileges; merely INSTALLing it /OPEN/HEADER/SHAR should suffice (I base this claim on the fact that MAIL, which is installed with SYSPRV, can call TPU, and TPUSHR.EXE is installed with no privs). Another thing you could do is to create a captive account that has PHYIO, is in a group by itself, runs only BACKUP, and checks to make sure that the privilege isn't abused. The drawback to this is that in order to do the backups, a user has to protect his files so that this account can read them, which means that anybody using the account can copy his files while he's doing his backup. You can circumvent this difficulty by setting the UAF MAXJOBS field to 1 for this account, so a user can: 1) Log in to the backup account 2) Protect his files from a job running on his own account so he can back them up. 3) Do the backup 4) Reset the protections 5) Log out of the backup account Since his is the only job currently running on that account, his files should be safe, unless the system crashes sometime during the procedure.