Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Enable/Disable dynamic identifiers in C.

 
SOLVED
Go to solution
Oscar van Eijk
Occasional Advisor

Enable/Disable dynamic identifiers in C.

Hi All,

I need to write some C code that can handle identifiers with the Dynamic attribute.

It needs to lookup if an ident has been granted (but I suppose $FIND_HOLDER will do) and if so en/disable like $ SET RIGHTS_LIST would do.

Using $PERSONA is no option, since (a) the software should run on VAX and Alpha anb (b) IMPERSONATE privs is not (always) available.

Any suggestions?

Tnx,
Oscar
19 REPLIES 19
Wim Van den Wyngaert
Honored Contributor

Re: Enable/Disable dynamic identifiers in C.

Put the code in a shareable image and install it with privs. Then link your program with it.

Wim
Wim
Wim Van den Wyngaert
Honored Contributor

Re: Enable/Disable dynamic identifiers in C.

Or install the whole program with privs.

Wim
Wim
Hoff
Honored Contributor

Re: Enable/Disable dynamic identifiers in C.

Rather than installing with privileges, I tend to prefer using "Subsystem Identifiers". These will work like installing with privileges, though avoid the broad security implications of having those privileges. Subsystem identifiers are more targeted, and more controllable. (Though unlike INSTALL and privileges, subsystem identifiers are granted via the ACL. Not via INSTALL.)

Put another way, privileges can potentially be more powerful than strictly necessary for various application requirement(s). The identifiers can provide a more targeted solution.

FWIW, the IMPERSONATE (and formerly known as DETACH) privilege is seriously powerful, too. It's an ALL-class privilege, and easily able to grant any privilege and any access that might be required. It's a BYPASS-grade privilege.

For process creation under another UIC (if that's where you're going), you can also use $sndjbc or such. With privileges.)

I tend to use a server for this sort of function, and to define the interface between the client processes and the privileged process(es).

And as for the system service programming interface for the identifier question, do look to the $GRANTID and $REVOKID services.
Oscar van Eijk
Occasional Advisor

Re: Enable/Disable dynamic identifiers in C.

Thanks for your answers, but I think I need te be a bit more clear about what I need.

The software is a development environment where users have several roles (like developer, integrator, admin...) for several products.

The filesystem (incl. CMS) is protected using ACL's, so depending on which role is being selected, the proper identifiers have to be enabled. We're using UAF's dynamic attributes when the idents are granted.

Can $GRANTID/$REVOKID do this? I understood that's only for the the rightslist database...
Jan van den Ende
Honored Contributor
Solution

Re: Enable/Disable dynamic identifiers in C.

Oscar,

om te beginnen: WELKOM bij het VMS forum!

The issue.

You _DID_ state that the identifiers ARE all created with /ATTRIB=DYNAMIC, right?

Now, if you(r system manager) also UAF> GRANTs them with tis attibute, THEN __NO__ extra privs are needed to SET RIGHTS EN/DISable them.

Minor gripe (of mine): upon login, such identifiers are always ENabled. Several times in the past years I have been advocating the possibility to have them initially disabled, but in vain sofar.

Mind, this _IS_ on the assumption that your users in several roles ARE to be trusted to behave according to their role-of-the-moment.

If you seek to enforce it, then you really should look serouously into the possibilities offered by Protected Subsystems.

But if your users also have to be able to assume "admin" roles (and I assume that also applies to the VMS environment), then you ARE down to good old trust...

(we HAVE implemented to delegate certain system management functionalities from captive menus, but that is a complete config in its own right).

Tell us more, and we probably can help you better.

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.