Yes, $GRANTID is what adds an identifier to the process rightslist. It is confusing, since the AUTHORIZE (UAF) program uses the grant command when what it is really using is $ADD_HOLDER, which modifies the RIGHTSLIST file.
Subsystem identifiers are good when a program does all access to the protected objects. However, that does not seem to satisfy Oscar's requirement of "changing role".
As has been mentioned by others, the dynamic attribute specifically allows a non-privileged user to add and remove the identifier from the process rights. Therefore anything using it for security related issues is (nearly) pointless. It is a bit like granting a user an authorized privilege that is not in their default privilege set; all that is needed to enable the privilege is set proc/priv=all and all authorized privileges (other than SETPRV) will be turned on in the current privilege mask.
If that is "good enough", then Oscar could implement the solution with a command procedure. However, Oscar specifically stated this had to be done with a C program, without stating the reason for the restriction.
If your are going to do this with a program, this is what I would do, although I would verify that it works with CMS before writing a program.
Instead of using the dynamic attribute, I would use the noaccess attribute, and then use the program to turn the noaccess attribute off to enable the role, and turn the noaccess attribute back on to disable the role.
Create an identifier for each "role" with the attributes (resource,noaccess). Grant this identifier to every user that is authorized for the role, with the same attributes (resource,noaccess). Protect the object with an ACL specifying the identifier so that the special access is only available via the role identifiers.
The noaccess attribute will disable the ability of the users to access the objects unless the noaccess attribute is removed with $GRANTID. This will require privilege, but I think you are going to need the image installed with privilege anyway, to be able to use the $GRANTID system service, which states it requires a minimum of CMKRNL.
So your enable_role program will need to do the following (with at least CMKRNL priv):
1. Get requested role from user (via command line option).
2. Copy users input to local storage, and then validate what is in the local buffer. If not valid input then quit.
3. Determine identifier associated with role, and convert this ASCII ID to binary with $ASCTOID.
4. Determine if process has the identifier enabled with $GETJPI item JPI$_RIGHTSLIST (with your buffer based on size returned by item JPI$_RIGHTS_SIZE). This returns an array of identifiers and their associated attributes. Scan the list for the binary value returned by $ASCTOID. If the identifier is not found, then the user is not authorized for the role; exit. If found, look at the attribute longword for the KGB$M_NOACCESS bit. If the noaccess attribute is present, then you must remove it by calling $GRANTID.
5. Audit the change if needed. Be especially careful when doing any file opens to restrict to use of trusted logical names.
I didn't write a program to do all this, but I am reasonably sure it will work, based on the following test: created an identifier, granted the identifier to a non-privileged user, logged into that non-prived username, attempted to access files that only allowed access based on the identifier (this failed). Then from a process with CMKRNL enabled, used
$ set rights/enable/attribute=(nonoaccess)/id=
ident
And then verified that the non-prived process could access the directory. The program should have the same effect for the process running the program as the set rights/enable shown above does for another process.
Good luck,
Jon
it depends
