Re: Verifying access rights to a file on behalf of a requesting process

Jeremy Begg · ‎03-22-2006

Hi,

I'm writing a server program to operate on a given file at the request of a client program. The client process will send a "process file XXX.DAT" command to the server, the server will do what it needs to do to XXX.DAT, and report status back to the client. The client process and server process will be running on the same VMScluster at the same time; I'm using ICC routines for communication between client and server.

Ideally the server process should confirm that the client process has the necessary privileges and/or rights identifiers to access the file. (For this application, READ is the only access required.)

I've looked at $CHECK_ACCESS and $CHKPRO and both seem to work on the basis of what is in the client username's SYSUAF record, rather than on the currently active privileges and rights identifiers of the client process.

What's the correct way to do this?

Thanks,

Jeremy Begg

Martin Vorlaender · ‎03-22-2006

Jeremy,

the whole process of checking access rights is complicated (see http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/00/00/39-con.html ), so $CHKPRO is probably your best bet.

In the docs ( http://h71000.www7.hp.com/doc/82FINAL/4527/4527pro_015.html#jun_114 ) I don't see anything poining to "what is in the client username's SYSUAF record", only CHP$_OWNER (the object owner's UIC) and CHP$_UIC ( the accessor's UIC), used in conjunction with CHP$_PROT to determine access through the protection mask.

cu,
Martin

Richard J Maher · ‎03-22-2006

Hi Jeremy,

Take a look at $persona_create. You can use the flags to control AUTH or DEF privs. Whenever you're doing work on behafl of a client you can $persona_assume to that particular profile and not have to worry about any other adddition checking.

Oh! Except for the bit about how do you verify that the client is who he says he is?

Cheers Richard

PS. There is software out there that does this sort of thing. (Not with ICC but with DECnet or TCP/IP) Tells the server the Username that's to to perform a unit of work for and gives you a persona ID to assume if and when you want it. FWIW.

Wim Van den Wyngaert · ‎03-22-2006

I found this coding example is persona.c of WASD (on freeware cd or download). It may help you.

Wim

Wim

Robert Gezelter · ‎03-22-2006

Jeremy,

I strongly recommend that you do not "check the access rights", but that you attempt to access the file for READ using the UIC of the requestor.

The PERSONA system service was meant for this purpose (see the System Services reference manual and the OpenVMS Guide to System Security). Among other things, if the user DOES NOT have the correct rights, proper use of PERSONA will ensure that the appropriate audit trails are created, rather than providing a stealth way to check for file accessibility.

While your fact pattern is admittedly abstracted, why is is not acceptable to just use cluster wide disk sharing with conventional RMS (or alternatively, DECnet Remote File access with RMS)? I do not see what is gained by going through a server in this situation?

- Bob Gezelter, http://www.rlgsc.com

Richard J Maher · ‎03-23-2006

Hi Jeremy,

Seeing how everyone seems agreed on persona system services, you might want to ask Rdb (directly or through JCC listserver) why they don't support SQL> Set Session Authorization Using 'Persona :ws_persona';

And while we're attaching code, here's an example of a server with *all* the code you'd have to write to do a Queue lookup program from a PC. (All the Authorization username/password, Network communications (DECnet or TCP/IP and Multi-threading Min Servers/Max Servers Is all done for you.

Just 6 routines in a shareable image!

Anyway look for "Persona" to see if it helps. I have an example accessing Rdb if you'd like?

Cheers Richard

Jeremy Begg · ‎03-23-2006

I hate to say it but I thnk you've all missed my point, so let me try to rephrase it.

My problem is that I need to check the access rights to a file on behalf of another process on the system - taking into consideration that the other process might be running with elevated privileges or additional rights identifiers at the time it makes the request. In other words I need to know if the requesting (client) process has READ access to the file *right now*, not at some later or earlier time and not necessarily based on the process' UIC, privileges or rights list as listed in SYSUAF.

Richard J Maher · ‎03-23-2006

Hi Jeremy

I think I now understand your question, if not your requirement, so here's a variation on my earlier reply.

(Ideally I suggest $persona_reserve in the server and $persona_delegate in the client side but I'm pretty sure they only work on the same node and you're using ICC so Plan B.)

Still do the $persona_create, or perhaps a $persona_find first to see if you've already done this once. (VMS personae inventory is not that great :-( No facility/owner codes and no way of restricting searches to just inner mode etc)

Then via $persona_query on the current persona and/or $getjpi the client code could assemble all the privilege and rightslist info needed and send it to the server who could then $persona_modify the template it had already created before assuming it. (Or the server could do a $getjpi for itself to glean the information required?)

Is your client code an RTL (Inner Mode?) or do you own the whole client image?

What if the client has elevated privs and rights 'cos that's how the image he's executing was installed? Do you want to honour those image privs in the server?

What is the client process/thread doing while the servers working? Waiting? Synchronous calls only?

Sorry if this doesn't get you any further and I've got it wrong again, but if nobody else has the answer either then a bit more meat on the bones of the requirement spec may help. Certainly couldn't hurt. Your requirement is a but unusual (at least to me.)

Cheers Richard

PS. I've attached a TIER3 V3.1 example that uses T3$PERSONA_ASSUME in a server that requires absolutely zero privs! (Not even detach/impersonate) Please get in touch with Oracle Rdb support/engineering and beg them for this essential persona support! What about you ACMS users?

FYI - The code also illustrates how to update Rdb in a Two-Phase Commit with Microsoft SQL Server and MTS/DTC.

Craig A Berry · ‎03-24-2006

The folks suggesting persona services sound like they know what they're talking about and should be listened to. However, if you still want an answer to your original question, you need to:

1.) Call SYS$GETJPIW with JPI$_CURPRV for the target process to get current privs as of this moment, regardless of what's in the UAF, etc.

2.) Call SYS$CREATE_USER_PROFILE once to find out the space required for the profile, and allocate what it tells you.

3.) Cal SYS$CREATE_USER_PROFILE again to retrieve the actual profile.

4.) Call SYS$CHECK_ACCESS with the user profile as the 8th argument.

There is an example in Perl_cando_by_name in [.vms]vms.c in the Perl sources, most easily browsed at:

http://public.activestate.com/cgi-bin/perlbrowse?file=vms%2Fvms.c

The Perl function only looks at the current process, but that's just a matter of changing the $GETJPI call, assuming you've got the PID of the client.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Verifying access rights to a file on behalf of a requesting process

Verifying access rights to a file on behalf of a requesting process