Everhart, Glenn
From:	Veli Körkkö [korkko@decus.fi]
Sent:	Wednesday, February 24, 1999 8:17 AM
To:	Info-VAX@Mvb.Saic.Com
Subject:	OpenVMS V7.2 Alpha and installed image privileges not propagated to subprocess subprocess
Below is very simple C program.

----------------------
#include <stdio.h>
#include <descrip.h>
#include <lib$routines.h>

char cmd[]="$ show proce/all";    /* any DCL command can go here */
$DESCRIPTOR (clicmd,cmd);

main ()
{
    unsigned int rstatus;
    unsigned int compstatus;
    printf(" starting the spawn\n");
    rstatus = lib$spawn ( &clicmd, 0, 0, 0, 0, 0, &compstatus );
    printf("\n The spawn status is:                 %d \n",rstatus );
    printf("\n The subprocess completion status is: %d \n",compstatus );
}
-----------------------

If this program is compiled and link with /NOTRACEBACK,
in can then be installed with privileges, say with /PRIVI=SYSPRV.

Now, with the program install with say SYSPRV, non-prived user
running this program will have

Authorized privileges:
 NETMBX    SYSPRV    TMPMBX

Process privileges:
 NETMBX               may create network device
 TMPMBX               may create temporary mailbox


when used on OpenVMS VAX V6.2, V7.1 as well as on OpenVMS VAX V7.2.

But if we use this very same program on Alpha, we see privileges
just like above on V6.2 and V7.1. Unfortunately V7.2 seems to
different, i.e. the spawned process sees

Authorized privileges:
 NETMBX    TMPMBX

Process privileges:
 NETMBX               may create network device
 TMPMBX               may create temporary mailbox


I guess this is another "feature" that crept into VMS V7.2
when those per-thread security features were added.


Unfortunately the program that we actually use, is not ours
hence we cannot modify the program. Of course we could give
the necessary privileges to the users...

Shall we soon see patch fixing this and other privilege
related "features"?