From:	CSBVAX::MRGATE!@KL.SRI.Com,@wiscvm.wisc.edu:AWPSYS@RITVAX.BITNET@SMTP 13-AUG-1987 02:05
To:	EVERHART
Subj:	RE: Mail and privs

Received: from wiscvm.wisc.edu by KL.SRI.COM with TCP; Wed 12 Aug 87 16:35:19-PDT
Received: from RITVAX.BITNET by wiscvm.wisc.edu ; Wed, 12 Aug 87 18:35:24 CDT
Date: 12 AUG 87 19:34-EDT
From: AWPSYS%RITVAX.BITNET@wiscvm.wisc.edu
To: INFO-VAX @ KL.SRI.COM
Subject: RE: Mail and privs


>1) Have your system manager install your TPU$CALLUSER routine by logging in
>   as SYSTEM and issuing the command:
>
>    $ RUN SYS$SYSTEM:INSTALL
>    INSTALL> filespec
>    INSTALL> ^Z
>    $
>
>   where "filespec" is the *full* file specification for your calluser image.
>   INSTALL assumes SYS$LIBRARY: for the directory, which is why you need the
>   full filespec if your file is elsewhere.


        WARNING:  If you are going to allow your own code to run privileged
        then you need to take several VERY important steps to insure
        that the code (and hence your system) remains secure.

        1)   Use $SETPRV to disable all elevated privs before executing
             any code that:

                a) Creates or reads files or accesses any "protectable"
                   object. (Logical name tables, Job controller Queues,
                   global sections...)
                b) Does input or output to SYS$OUTPUT.
                c) Creates a process via $CREPRC or LIB$SPAWN

        2)   If you DO want some code to execute privleged I/O
             (I.E with SYSPRV enabled), then only allow executive
             mode logical names to be translated when opening files.
             This means coding a user-open procedure in most
             high level languages to set the RMS FAB field FAB$B_ACMODE
             to EXEC mode on open.

        Failure to observe the above precautions when writing ANY
        code that is installed with elevated privilege can leave
        a locomotive sized security hole in your system.


Andrew W. Potter
Rochester Institute of Technology