Problem Note 13521: ALLOWXCMD and NONOXCMD options fail with the Object Spawner on Windows
2003 Servers
When submitting code to an Integration Technologies IOM server that uses
a Shell or operating system command such as FILENAME PIPE or SYSTASK
COMMAND, the code fails with
ERROR: Access is denied.
Or
ERROR: Insufficient authorization for SYSTASK COMMAND.
For security reasons, the Object Spawner is started with the system
option of NOXCMD, which prevents the client from submitting any type of
SHELL or Operating System command.
With Administrative privileges, the Object Spawner can be restarted
with an option (ALLOWXCMD or NONOXCMD) that permits the client to issue
SHELL or Operating System commands. This works for all Windows
operating systems EXCEPT for Window 2003 Server.
To correct the problem on Windows 2003, Read & Execute permissions must
be granted to the "BATCH" group found on the Security tab of the cmd.exe
system command.
The "BATCH" group is a group identifier that is added to the token of
any process currently logged on as a batch user.
To verify if the "BATCH" group has been added and to view the
permissions on the group, open a COMMAND Window and issue the following:
C:\WINDOWS\system32> cacls %COMSPEC%
If the permissions are set correctly, you will see something similar to
the following:
C:\WINDOWS\system32\cmd.exe BUILTIN\Administrators:F
NT AUTHORITY\BATCH:R
NT AUTHORITY\INTERACTIVE:R
NT AUTHORITY\SERVICE:R
NT AUTHORITY\SYSTEM:F
PCR64DUAL2\TelnetClients:R
The following are the steps to add the "BATCH" group to the system
command (cmd.exe) and to set Read & Execute permissions:
1.) You must be logged into the Windows 2003 Server with an
Administrative account.
2.) From a Windows Explorer Window, navigate to the following:
C:\WINDOWS\system32\cmd.exe
3.) With the Right Mouse button, select "cmd.exe" and select
"properties". On the "Security" tab, select the "Advanced"
button.
4.) On the "Permissions" tab of the Advanced Security Settings for
cmd.exe Window, select the "ADD" button.
5.) In the "Enter object name to select" field, type BATCH
(or hostname\BATCH) and then select the "CHECK NAMES" button.
The group BATCH should be underlined. Select OK.
6.) On the Permission Entry for cmd.exe window, under the "ALLOW"
column check the following items:
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Read Permissions
7.) The Permissions tab should now show:
Allow BATCH Read & Execute <not inherited>
8.) Select "APPLY" and a security warning will be displayed.
Select "YES" to accept the changes.
Operating System and Release Information
SAS System | SAS Integration Technologies | Microsoft Windows Server 2003 Standard Edition | 9.1 TS1M3 | |
Microsoft® Windows® for 64-Bit Itanium-based Systems | 9.1 TS1M3 | |
Microsoft Windows XP Professional | 9.1 TS1M3 | |
Microsoft Windows 2000 Server | 9.1 TS1M3 | |
Microsoft Windows 2000 Advanced Server | 9.1 TS1M3 | |
Microsoft Windows 2000 Datacenter Server | 9.1 TS1M3 | |
Microsoft Windows Server 2003 Enterprise Edition | 9.1 TS1M3 | |
Microsoft Windows Server 2003 Datacenter Edition | 9.1 TS1M3 | |
Microsoft Windows 2000 Professional | 9.1 TS1M3 | |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
Type: | Problem Note |
Priority: | medium |
Topic: | Software Components ==> Object Spawner
|
Date Modified: | 2004-10-05 11:35:38 |
Date Created: | 2004-10-04 09:07:28 |