- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Verifying access rights to a file on behalf of...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-22-2006 07:37 PM
тАО03-22-2006 07:37 PM
Verifying access rights to a file on behalf of a requesting process
I'm writing a server program to operate on a given file at the request of a client program. The client process will send a "process file XXX.DAT" command to the server, the server will do what it needs to do to XXX.DAT, and report status back to the client. The client process and server process will be running on the same VMScluster at the same time; I'm using ICC routines for communication between client and server.
Ideally the server process should confirm that the client process has the necessary privileges and/or rights identifiers to access the file. (For this application, READ is the only access required.)
I've looked at $CHECK_ACCESS and $CHKPRO and both seem to work on the basis of what is in the client username's SYSUAF record, rather than on the currently active privileges and rights identifiers of the client process.
What's the correct way to do this?
Thanks,
Jeremy Begg
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-22-2006 08:56 PM
тАО03-22-2006 08:56 PM
Re: Verifying access rights to a file on behalf of a requesting process
the whole process of checking access rights is complicated (see http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/00/00/39-con.html ), so $CHKPRO is probably your best bet.
In the docs ( http://h71000.www7.hp.com/doc/82FINAL/4527/4527pro_015.html#jun_114 ) I don't see anything poining to "what is in the client username's SYSUAF record", only CHP$_OWNER (the object owner's UIC) and CHP$_UIC ( the accessor's UIC), used in conjunction with CHP$_PROT to determine access through the protection mask.
cu,
Martin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-22-2006 09:12 PM
тАО03-22-2006 09:12 PM
Re: Verifying access rights to a file on behalf of a requesting process
Take a look at $persona_create. You can use the flags to control AUTH or DEF privs. Whenever you're doing work on behafl of a client you can $persona_assume to that particular profile and not have to worry about any other adddition checking.
Oh! Except for the bit about how do you verify that the client is who he says he is?
Cheers Richard
PS. There is software out there that does this sort of thing. (Not with ICC but with DECnet or TCP/IP) Tells the server the Username that's to to perform a unit of work for and gives you a persona ID to assume if and when you want it. FWIW.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-22-2006 09:35 PM
тАО03-22-2006 09:35 PM
Re: Verifying access rights to a file on behalf of a requesting process
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-22-2006 09:46 PM
тАО03-22-2006 09:46 PM
Re: Verifying access rights to a file on behalf of a requesting process
I strongly recommend that you do not "check the access rights", but that you attempt to access the file for READ using the UIC of the requestor.
The PERSONA system service was meant for this purpose (see the System Services reference manual and the OpenVMS Guide to System Security). Among other things, if the user DOES NOT have the correct rights, proper use of PERSONA will ensure that the appropriate audit trails are created, rather than providing a stealth way to check for file accessibility.
While your fact pattern is admittedly abstracted, why is is not acceptable to just use cluster wide disk sharing with conventional RMS (or alternatively, DECnet Remote File access with RMS)? I do not see what is gained by going through a server in this situation?
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-23-2006 09:59 AM
тАО03-23-2006 09:59 AM
Re: Verifying access rights to a file on behalf of a requesting process
Seeing how everyone seems agreed on persona system services, you might want to ask Rdb (directly or through JCC listserver) why they don't support SQL> Set Session Authorization Using 'Persona :ws_persona';
And while we're attaching code, here's an example of a server with *all* the code you'd have to write to do a Queue lookup program from a PC. (All the Authorization username/password, Network communications (DECnet or TCP/IP and Multi-threading Min Servers/Max Servers Is all done for you.
Just 6 routines in a shareable image!
Anyway look for "Persona" to see if it helps. I have an example accessing Rdb if you'd like?
Cheers Richard
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-23-2006 11:25 AM
тАО03-23-2006 11:25 AM
Re: Verifying access rights to a file on behalf of a requesting process
My problem is that I need to check the access rights to a file on behalf of another process on the system - taking into consideration that the other process might be running with elevated privileges or additional rights identifiers at the time it makes the request. In other words I need to know if the requesting (client) process has READ access to the file *right now*, not at some later or earlier time and not necessarily based on the process' UIC, privileges or rights list as listed in SYSUAF.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-23-2006 08:44 PM
тАО03-23-2006 08:44 PM
Re: Verifying access rights to a file on behalf of a requesting process
I think I now understand your question, if not your requirement, so here's a variation on my earlier reply.
(Ideally I suggest $persona_reserve in the server and $persona_delegate in the client side but I'm pretty sure they only work on the same node and you're using ICC so Plan B.)
Still do the $persona_create, or perhaps a $persona_find first to see if you've already done this once. (VMS personae inventory is not that great :-( No facility/owner codes and no way of restricting searches to just inner mode etc)
Then via $persona_query on the current persona and/or $getjpi the client code could assemble all the privilege and rightslist info needed and send it to the server who could then $persona_modify the template it had already created before assuming it. (Or the server could do a $getjpi for itself to glean the information required?)
Is your client code an RTL (Inner Mode?) or do you own the whole client image?
What if the client has elevated privs and rights 'cos that's how the image he's executing was installed? Do you want to honour those image privs in the server?
What is the client process/thread doing while the servers working? Waiting? Synchronous calls only?
Sorry if this doesn't get you any further and I've got it wrong again, but if nobody else has the answer either then a bit more meat on the bones of the requirement spec may help. Certainly couldn't hurt. Your requirement is a but unusual (at least to me.)
Cheers Richard
PS. I've attached a TIER3 V3.1 example that uses T3$PERSONA_ASSUME in a server that requires absolutely zero privs! (Not even detach/impersonate) Please get in touch with Oracle Rdb support/engineering and beg them for this essential persona support! What about you ACMS users?
FYI - The code also illustrates how to update Rdb in a Two-Phase Commit with Microsoft SQL Server and MTS/DTC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-24-2006 05:59 AM
тАО03-24-2006 05:59 AM
Re: Verifying access rights to a file on behalf of a requesting process
1.) Call SYS$GETJPIW with JPI$_CURPRV for the target process to get current privs as of this moment, regardless of what's in the UAF, etc.
2.) Call SYS$CREATE_USER_PROFILE once to find out the space required for the profile, and allocate what it tells you.
3.) Cal SYS$CREATE_USER_PROFILE again to retrieve the actual profile.
4.) Call SYS$CHECK_ACCESS with the user profile as the 8th argument.
There is an example in Perl_cando_by_name in [.vms]vms.c in the Perl sources, most easily browsed at:
http://public.activestate.com/cgi-bin/perlbrowse?file=vms%2Fvms.c
The Perl function only looks at the current process, but that's just a matter of changing the $GETJPI call, assuming you've got the PID of the client.