Hi,
The great news is you will no longer find a single HP employee to waste your time with fanciful notions of pseudo-device drivers. The beast has been smited! A stake driven thru his heart means that no more will the happy village be descended upon by the tyranny of that dark shadow.
Yes children: -
. User-Written System Services are great!
. Inner-mode code is a security plus not a minus!
. Using sys$output for a log file is perfectly reasonable!
. Image Initialization routines are the mut's nuts!
. Pseudo-Device Drivers are evidently only the figment of someone's twisted imagination!
. MACRO-32 is good! And what's more, the *only* safe language for /noPROTECTed UWSS's on Itanium!
. VMSINSTAL is a fabulous kitting tool that simply ain't broke!
Yes, go out, be happy, enjoy VMS once more!
Now, faced with the original requirement in this thread, and IMHO, User-Written System Services (similar to those displayed in my attached examples) are definitely the way to go.
Also, below is a post of mine from comp.os.vms that contains some useful IMHO information about how mailbox (most device) protection works and what could be wrong with it. Please let me know if you have any corrections.
Regards Richard Maher
PS. If there is still anyone out there with a lot of time on their hands then I'm still curious to what a PDD example of a User-Authorization device-driver would look like. Any takers?
Mailbox protection issues
-------------------------
You may recall that, a few weeks back, I was asking questions about mailbox
protection related issues with inner-mode code and why sometimes my (non
system) EXEC mode code had to "up" privs with SYSPRV and other times it
didn't, when doing i/o to a mailbox that had (s:rwlp,o,g,w). At that time I
was unable to find anyone who had a clue about what they were talking about,
so I've finally got around to investigating what was going on and this is my
best guess. (If there is anyone in this newsgroup that can tell their arse
from their elbow when it comes to VMS device security checking then please
chime in will any facts relevant to correct coding.)
Maybe it's in the fine manuals? I couldn't find it. If you have a pointer
please pass it on. If not, I sure hope this helps someone else in the
future.
1) Anyone can assign a channel to a mailbox even if they have absolutely no
privileges and no SOGW or ACL access to the device
2) Access rights tests are deferred till $QIO time and ganularity is
dependant on the function code
3) Access is only checked the first time for each appropriate function codes
(A record of the checks already made is in kept in the ccb$ll_sts field of
the Channel Connect Block. ccb$v_readchkdon, writechkdon, logchkdon etc)
If this is true then that would certainly explain why I had to $setprv
(sysprv) before the initial io$_writevblk or io$_setmode but subsequently
everything was peachy. I assume the check is only done once as an
optimization, but then surely it would also make sense to have some sort of
io$_accesscheck so that the programmer could get all his checking done up
front at initialization time and not have to have a $setprv in his main
routine or in a loop?
I can understand why these checks can't be done at $assign time as there is
just not enough infomation there to describe everything that you may wish to
do on a channel in the future, but one thing *is* known and that is if you
don'y have "L" access to a mailbox then you can't do *anything* with it, and
SYS$ASSIGN (or EXE$CHKPRO_INT or whatever) should *not* assign a channel to
that device. It is just plain wrong!
What if I have a io$_setmode!io$m_waitforreader on a mailbox that has
(S:RWLP,O,W,G) protection and some idiot comes up and does a $OPEN/READ DOS
_MBA123: Does my code fire up and say "Bewdy! Our partner's there now" and
not some snotty nosed hacker? What if I rely on my temporary mailboxes dying
after all *my* channels are deassigned only to find that a third party has
assigned a channel to it and is keeping it alive? They don't have access to
my Logical Name tables but they are sure as hell stopping my $CREMBX from
creating a *new* mailbox and changing the logical name!
BTW. Why does RMS give you a NOPRIV error when you close the channel?
Did everyone else know that changing the protection on a mailbox after
channels have been assigned may or may not have the desired results? Say you
wanted to limit writers to only SYSTEM users for a while; if a WORLD or
GROUP user already done i/o on there channel they'd never see the change in
protection.
Anyway, in my case, I couldn't see how to *automatically (without $setprv)*
take advantage of being in Exec-Mode on an Exec-Mode channel. I can make
sense that you still want the checks performed. (There is a io$m_trusted
modifier that can be used to avoid the probes if your using Exec-Mode iosb
memory etc) And my channel *is* protected against User-Mode interference
which is the whole point.
Regards Richard Maher
