Problem: Attempts to access a file on the server fail with an access denied error. A typical access denied error looks like:
File error 37,07 on @condor:/usr2/bsmith/fio_seq
The 37, 07 error code (ANSI 85 standard error code) indicates that the user does not have sufficient permissions to access the file. If your application uses one of the alternate sets of file status codes, your error code will differ. See the ACUCOBOL-GT Runtime Manual for more information.
Access denied errors occur because a file's permissions, or the permissions of a directory in which the file resides, prohibit access. Finding and correcting access denied errors requires familiarity with AcuServer access security and Windows NT/2000 or UNIX file security. You may need access to administrator or root privileges. Work with your site's AcuServer system administrator to resolve the problem.
AcuServer adds complexity to finding access denied errors, because AcuServer handles requests with a user ID (user name) designated in the server access file (AcuAccess). The user name designated may not be the user name that you expect. Therefore, finding and resolving access denied errors can involve inspecting two components of the system: file protections and the AcuServer server access file. AcuServer also adds complexity when implementing native system security, because the server impersonates the connecting client. See Unexpected User Name for more information.
File permissions diagnostics are used to verify that the ownerships and permissions on the file and directories do, in fact, allow access to the user ID that AcuServer is using (or the user name that you assume that AcuServer is using).
The AcuServer user name diagnostics are used to determine the actual user name that AcuServer is using when the access denied error occurs. Step-by-step diagnostic procedures follow.
Whether you first verify the user ID or first check the file permissions, is up to you. If you're familiar with file security, you may find it faster to check the file permissions first, under the assumption that AcuServer is using the user ID that you expect. Then, if necessary, you can verify the user ID, followed by repeating the file permissions inspection if the actual user name differs from the assumed name.
The steps below break the diagnostic process into three activities:
See The Server Access File to review the structure and function of the server access file. See AcuServer Connection Logic to review the procedure used by AcuServer to get the requester's user ID. See Ownerships and Permissions for a brief description of file permissions.
Get the name and path of the file that produces the access denied error.
Most applications will report the full path and name of the file in the standard error output. If your application doesn't, run your application again with the -x runtime option:
runcbl -x your-usual-options program-name
If the -x option doesn't produce the full name and path, run the application in the debugger with FILE TRACE enabled and examine the log file for the first occurrence of an access error. The file name that precedes the error is the file generating the error.
To run the debugger enter:
runcbl -dle error-file your-usual-options program-name
where:
-d turns on the debugger, -l causes the contents of the runtime configuration file to be included in the error output, and -e causes file trace and error output to be placed in error-file.
After starting your program, you will be at the debugger screen. Turn on file tracing by entering
tf
FILE TRACE will be echoed to the screen. To start program execution, enter:
g
Allow the program to run until you encounter the error condition, and then exit. Your log file will contain the error information, all COBOL configuration file variables that have been set, and a record of every OPEN, READ, and WRITE.
Examine the log file and find the error output for the access denied error. The file name that precedes the error is the file generating the error. Note the full path of the file and retain the log file for future reference.
ls -l /usr2/bsmith/fio_seq
If the ls -l fails with a cannot access directory (or similar) error, the permissions on one or more of the directories are too restrictive. To access a directory, the directory must allow you EXECUTE permissions. Adjust the permissions or move the file to a directory that will allow access. If you are not the owner of the directories, you will need to ask the owner, or someone with root privileges, for assistance.
After adjusting the permissions, verify directory access to the file by performing an ls -l on the full path to the file. If the ls -l succeeds, the permissions set on the file are displayed. For example:
-rw-r--r-- 1 prod general 4870 Aug 18 1993 /usr2/bsmith/fio_seq
Evaluate the file's ownerships and permissions, including the group permissions, to determine if they allow the type of access required by the requesting application. Except as noted below, all files opened by AcuServer must allow READ and WRITE access. Under Sun OS with ACUCOBOL-GT Version 2.1.2 or later, files having READ only permissions may be opened INPUT.
If the file's permissions need changing and the file is not owned by you, you will need to enlist the assistance of the owner of the file or someone with root privileges.
Once the file and directories permit access, run the application again. If the program fails when attempting to access the same file and you have not yet confirmed the user name that AcuServer is using, perform the Confirming the user name diagnostics (below).
After the permissions have been adjusted, run the application again. If the program fails attempting to access the same file and you have not yet confirmed the user name that AcuServer is using, proceed to the next section. Otherwise, contact Customer Support.
If you are using a Windows NT, Windows 2000 to 2008 server, verify that the file and directory permissions grant access to the user name.
File/Properties/Security/Permissions
from the menus. If the permissions are too restrictive, adjust the permissions or move the file to a directory that will allow access.
When AcuServer is running as a Windows service, it belongs to an implicit group called SYSTEM. Otherwise it should belong to the Administrators group. If you are using AcuServer system security, make sure that the SYSTEM and Administrators groups are added to your file permissions with Full Control. This step is not necessary if you are implementing Windows NT security.
Under AcuServer system security, files created by AcuServer are owned by the administrators group and allow Full Control for SYSTEM and Administrator. Everyone is given the permissions specified by the third digit in the umask in the AcuAccess file.
If you are not the owner of the directory or file, you will need to ask the owner, or someone with administrator privileges, for assistance.
Once the file and directories permit access, run the application again. If the program fails when attempting to access the same file and you have not yet confirmed the user name that AcuServer is using, perform the Confirming the user name diagnostics (below).
After the permissions have been adjusted, run the application again. If the program fails attempting to access the same file and you have not yet confirmed the user name that AcuServer is using, proceed to the next section. Otherwise contact Customer Support.
Confirm the user name that AcuServer is using when the access denied error occurs (see also sectino Unexpected User Name).
Note that some procedures require root or administrator privileges. If you don't have these privileges, enlist the assistance of your AcuServer or system administrator.
On UNIX systems:
Enter who am I at the UNIX prompt.
On Windows systems:
If a user is logged into a Windows NT/2000 workgroup or domain, AcuServer will use the user's log-in name. Otherwise, it uses the user name value that is set by the environment variable USERNAME. If USERNAME is not set, the runtime uses the value that is set by the environment variable USER. (The values of these variables are case-sensitive.) If neither of these environment variables is set, the runtime uses the literal string USER.
To confirm the presence (or absence) of the USERNAME environment variable, enter SET at the command prompt. SET will display the values of all environment variables.
COMSPEC=C:\COMMAND.COM PATH=C:\;C:\WINDOWS;C:\MOUSE; PROMPT=$P$G USERNAME=BERNIE
If USERNAME is defined, the value of USERNAME is the name passed to AcuServer. Otherwise, the variable USER is checked. If USER is not set, then the literal string USER is passed.
acuserve: 06/13/94 12:43:44 - Server version: 010000 Client version: 010000 acuserve: 06/13/94 12:43:44 - AUTHORIZATION request from user:bernie >> client:starling, PASSWORD-ATTEMPTS allowed:3 >> Mapping user:bernie to local user:bsmith >> Socket:5, uid:205, gid:101 >> Password is not required acuserve: adding client:starling, user:bernie, pid:18397, fid:57a28
If the local user name is not the one you expect, consult with your AcuServer system administrator to verify that it is the correct user name. Your system administrator can make any necessary changes to the server access file.
When you no longer want tracing enabled, type acuserve -config again, then type set FILE_TRACE 0 at the prompt.
Get the name and path of the file that produces the access denied error.
runcbl -x your-usual-options program-name
If the -x option doesn’t produce the full name and path, run the application in the debugger with FILE TRACE enabled and examine the log file for the first occurrence of an access error. The file name that precedes the error is the file generating the error.
To run the debugger enter:
runcbl -dle error-file your-usual-options program-name
-d turns on the debugger. -l causes the contents of the runtime configuration file to be included in the error output. -e causes file trace and error output to be placed in error-file.
After starting your program, you will be at the debugger screen. Turn on file tracing by entering
tf
FILE TRACE will be echoed to the screen. To start program execution, enter:
g
Allow the program to run until you encounter the error condition, and then exit. Your log file will contain the error information, all COBOL configuration file variables that have been set, and a record of every OPEN, READ, and WRITE.
Examine the log file and find the error output for the access denied error. The file name that precedes the error is the file generating the error. Note the full path of the file and retain the log file for future reference.
If you are using a UNIX server, verify that the file and directory permissions grant access to the user name:
ls -l /usr2/bsmith/fio_seq
If the ls -l fails with a cannot access directory (or similar) error, the permissions on one or more of the directories are too restrictive. To access a directory, the directory must allow you EXECUTE permissions. Adjust the permissions or move the file to a directory that will allow access. If you are not the owner of the directories, you will need to ask the owner, or someone with root privileges, for assistance.
After adjusting the permissions, verify directory access to the file by performing an ls -l on the full path to the file. If the ls -l” succeeds, the permissions set on the file are displayed. For example:
-rw-r--r-- 1 prod general 4870 Aug 18 1993 /usr2/bsmith/fio_seq
Evaluate the file’s ownerships and permissions, including the group permissions, to determine if they allow the type of access required by the requesting application. Except as noted below, all files opened by AcuServer must allow READ and WRITE access. Under Sun OS with ACUCOBOL-GT version 2.1.2 or later, files having READ only permissions may be opened INPUT.
If the file’s permissions need changing and the file is not owned by you, you will need to enlist the assistance of the owner of the file or someone with root privileges.
Once the file and directories permit access, run the application again. If the program fails when attempting to access the same file and you have not yet confirmed the user name that AcuServer is using, perform the Confirming the user name diagnostics (below).
After the permissions have been adjusted, run the application again. If the program fails attempting to access the same file and you have not yet confirmed the user name that AcuServer is using, proceed to the next section. Otherwise, contact Customer Support.
If you are using a Windows NT, Windows 2000 - 2008 server, verify that the file and directory permissions grant access to the user name.
When AcuServer is running as a Windows service, it belongs to an implicit group called SYSTEM. Otherwise it should belong to the Administrators group. If you are using AcuServer system security, make sure that the SYSTEM and Administrators groups are added to your file permissions with Full Control. This step is not necessary if you are implementing Windows NT security.
Under AcuServer system security, files created by AcuServer are owned by the Administrators group and allow Full Control for SYSTEM and Administrator. Everyone is given the permissions specified by the third digit in the umask in the AcuAccess file.
If you are not the owner of the directory or file, you will need to ask the owner, or someone with Administrator privileges, for assistance.
Once the file and directories permit access, run the application again. If the program fails when attempting to access the same file and you have not yet confirmed the user name that AcuServer is using, perform the Confirming the user name diagnostics (below).
After the permissions have been adjusted, run the application again. If the program fails attempting to access the same file and you have not yet confirmed the user name that AcuServer is using, proceed to the next section. Otherwise contact Customer Support.
Confirm the user name that AcuServer is using when the access denied error occurs. See Unexpected User Name for more information.
Note that some procedures require root or Administrator privileges. If you don’t have these privileges, enlist the assistance of your AcuServer or system administrator.
Enter who am i at the UNIX prompt.
If a user is logged into a Windows NT/2000 workgroup or domain, AcuServer will use the user’s log-in name. Otherwise, it uses the user name value that is set by the environment variable USERNAME. If USERNAME is not set, the runtime uses the value that is set by the environment variable USER. (The values of these variables are case-sensitive.) If neither of these environment variables is set, the runtime uses the literal string USER.
To confirm the presence (or absence) of the USERNAME environment variable, enter SET at the command prompt. SET will display the values of all environment variables.
COMSPEC=C:\COMMAND.COM PATH=C:\;C:\WINDOWS;C:\MOUSE; PROMPT=$P$G USERNAME=BERNIE
If USERNAME is defined, the value of USERNAME is the name passed to AcuServer. Otherwise, the variable USER is checked. If USER is not set, then the literal string USER is passed.
acuserve: 06/13/94 12:43:44 - Server version: 010000 Client version: 010000 acuserve: 06/13/94 12:43:44 - AUTHORIZATION request from user:bernie >> client:starling, PASSWORD-ATTEMPTS allowed:3 >> Mapping user:bernie to local user:bsmith >> Socket:5, uid:205, gid:101 >> Password is not required acuserve: adding client:starling, user:bernie, pid:18397, fid:57a28
If the local user name is not the one you expect, consult with your AcuServer system administrator to verify that it is the correct user name. Your system administrator can make any necessary changes to the server access file.
When you no longer want tracing enabled, type acuserve -config again, then type set FILE_TRACE 0 at the prompt.