Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!utgpu!water!watnot!watmath!clyde!cbatt!ucbvax!CITHEX.CALTECH.EDU!carl From: carl@CITHEX.CALTECH.EDU.UUCP Newsgroups: mod.computers.vax Subject: Re: Submission for mod-computers-vax Message-ID: <870331080702.09g@CitHex.Caltech.Edu> Date: Tue, 31-Mar-87 11:07:11 EST Article-I.D.: CitHex.870331080702.09g Posted: Tue Mar 31 11:07:11 1987 Date-Received: Fri, 3-Apr-87 04:17:57 EST References: <8703301747.AA28949@unix.macc.wisc.edu> Sender: daemon@ucbvax.BERKELEY.EDU Distribution: world Organization: The ARPA Internet Lines: 37 Approved: info-vax@sri-kl.arpa > Can some one point me to a guide on secure use of the bypass privilege? > I want to write a privileged program to access a file, for example > SYS$SYSTEM:WHATEVER.DAT. What keeps a user from redefining SYS$SYSTEM > to point to some other directory and then running the program so that > it accesses the wrong file? There are two ways that VMS utilities do this: 1) They specify a logical name table to use for the translation of the logical name; thus, a redefinition of the logical name in the user's process, job, or group logical name table wouldn't affect the program's behavior, and the user needs SYSNAM to define a logical name in the system name table. 2) They ignore user- and supervisor-mode logical names, so the logical name must be defined in EXECUTIVE or KERNEL mode; to do this, the user would need CMKRNL priv. Since either CMKRNL or SYSNAM priv is sufficient to suborn the entire operating system, these checks should be sufficient for your purposes. > I also want to access a file from a privileged program as if I were > some user other than the one running the program. In other words, > user A runs the program and asks to do something that requires updating > file F. The program knows this is ok if user B could do the same thing > to file F without any special privileges. What does the program do to > determine this? The easiest (and probably best) way to do this is to use SYS$CHECKACCESS. You tell the system service what type of object you want to check, the name of the object, the username whose access you want to check, and a description of what you want to know about the way the user could access the object (e.g., what type of access you want to check, which access modes you want to check, what privs he has that he'd need to use to access the object, what security alarms he'd set off if he accessed it, or if an ACL granted him access, which ACE in the ACL gave him access). The system service apparently does not distinguish between the case in which the user you're interested in doesn't have the privs to access the object and the case in which you don't have the privs to check to see if the other user has the privs necessary to access the object.