From: CSBVAX::MRGATE!@KL.SRI.Com:briggs%gburg.decnet@bluto.scc.com@SMTP 26-JUN-1987 18:47 To: EVERHART Subj: privileged command procedures Received: from bluto.scc.com by KL.SRI.COM with TCP; Fri 26 Jun 87 09:40:48-PDT Date: 26 Jun 87 12:31:00 EST From: "GBURG::BRIGGS" Subject: privileged command procedures To: "info-vax" Reply-To: "GBURG::BRIGGS" >I've got a problem with command procedures. Is there a possibility to give >several specific priviliges to a command procedure which are only active >when the command procedure is executed ? >This problem occurs, when someone of our chair makes backups for me, he al- >ways needs the password of the system manager and has automatically access >to all features of the MicroVax system. >Therefor I'd prefer to give the priviliges needed for this task to a com- >mand procedure instead of telling the password. >As far as I know this way of putting priviliges to procedures is possible >for program modules using the concept of the shared images. Can something >like this done for command procedures as well ? You can install a privileged image that will LIB$SPAWN a chunk of privileged DCL code. Note that you have to be fairly careful about how you set it up to keep someone from taking advantage of the command file. Privileged image: (Fortran) INTEGER STATUS, SUB_STATUS, LIB$SPAWN STATUS = LIB$SPAWN ( '@SYS$MANAGER:COMFILE',,, 6,,, SUB_STATUS ) IF ( .NOT. STATUS ) CALL SYS$EXIT ( %VAL(STATUS) ) IF ( .NOT. SUB_STATUS ) CALL SYS$EXIT ( %VAL(SUB_STATUS) ) END ! Note the FLAGS value of 6 to prevent propogation of CLI ! symbols or logical names. This is to keep the user from ! spoofing the command procedure. Otherwise, a user might ! redefine SYS$SYSTEM as a logical name or COPY as a DCL ! symbol. Compile, link /NOTRACEBACK and install /PRIV=whatever the image. The command procedure will inherit the privileges with which the image is installed. NOTE: the enhanced privileges are inherited as authorized privileges only. You have to do an F$SETPRV or SET PROCESS/PRIV to enable them. Otherwise the procedure inherits the unenhanced default privs of the user. Command file: $ DEASSIGN /JOB /ALL $ ASSIGN LNM$SYSTEM LNM$GROUP /TABLE=LNM$PROCESS_DIRECTORY $ SET PROCESS /PRIVILEGE=(desiredprivs) ... The first two lines in the command procedure are required to keep logical names in the job and group logical name tables from affecting the command procedure. The third line is required to actually enable the authorized privileges inherited from the privileged image. ******************** CAUTION ********************* This is not bulletproof. I've put in all the fail safes that I can think of, but a clever hacker can probably defeat this. The standard cautions that DEC gives regarding captive command procedures also apply. Make sure the command file is execute only. Also deny world access to the privileged image source code. This will minimize your exposure -- anyone trying to spoof the procedure will be doing so blindly. ************************************************** Neither I nor my company make any claims regarding the usability or correctness of this technique. If any problems occur, the secretary will disavow all knowledge. John Briggs Arpa: BRIGGS@BLUTO.SCC.COM Ma: (301)840-4932 Snail: CONTEL ASD 1300 Quince Orchard Blvd. Gaithersburg, MD 20878 ------