Technical data

ManualsBrandsCompaq ManualsNetwork RouterReliable Transaction Router

Programming Features

5.11 New Process Dump Tools (Alpha)

5.11.6.1 Special Rights Identiﬁers

You can use the new rights identiﬁer IMGDMP$READALL to allow a

nonprivileged user to read a complete process dump. You can use the new

rights identiﬁer IMGDMP$PROTECT to protect a complete process dump

from being read by the user that created the process dump. These rights

identiﬁers are created during the installation of OpenVMS Version 7.3 by the

image SYS$SYSTEM:IMGDMP_RIGHTS.EXE, which is also run automatically

during system startup to ensure that these rights identiﬁers exist with the correct

values and attributes.

If these rights identiﬁers have been deleted, you can run

SYS$SYSTEM:IMGDMP_RIGHTS.EXE to recreate them. For example:

$ RUN SYS$SYSTEM:IMGDMP_RIGHTS

%PROCDUMP-I-CREATED, rights identifier IMGDMP$READALL successfully created

%PROCDUMP-I-CREATED, rights identifier IMGDMP$PROTECT successfully created

Note that IMGDMP$READALL has no attributes, but IMGDMP$PROTECT is

created with the RESOURCE attribute.

5.11.6.2 Privileged Users and Process Dumps

For this discussion, a privileged user is one who satisﬁes one of the following

conditions:

• Has one or more of the privileges CMKRNL, CMEXEC, SYSPRV, READALL,

or BYPASS

• Is a member of a system UIC group (by default [10,n] or lower). Such users

are treated as though they hold SYSPRV privilege.

Holders of CMKRNL or CMEXEC can write complete process dumps. Holders

of any of the other privileges can read a process dump wherever it has been

written.

5.11.6.3 Nonprivileged Users and Process Dumps

To allow a nonprivileged user to write and read complete process dumps,

grant the rights identiﬁer IMGDMP$READALL to the user. If the

IMGDMP$READALL rights identiﬁer does not exist, run the image

SYS$SYSTEM:IMGDMP_RIGHTS.EXE to create it (see Section 5.11.6.1). Then

use AUTHORIZE to grant the rights identiﬁer to the user. For example:

$ DEFINE /USER SYSUAF SYS$SYSTEM:SYSUAF.DAT !if necessary

$ RUN SYS$SYSTEM:AUTHORIZE

UAF> GRANT /IDENTIFIER IMGDMP$READALL <user>

UAF> EXIT

Note that the user must log out and log in again to be able to receive the rights

identiﬁer. A nonprivileged user with rights identiﬁer IMGDMP$READALL can

read and write complete process dumps without restriction.

5.11.6.4 Protecting Process Dumps

You can allow a nonprivileged user to write a complete process dump and at the

same time prevent the user from reading the process dump just written. To do so,

perform the following procedure:

1. If the IMGDMP$PROTECT rights identiﬁer does not exist, run the image

SYS$SYSTEM:IMGDMP_RIGHTS.EXE to create it (see Section 5.11.6.1).

Programming Features 5–11