Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!seismo!rutgers!ames!sdcsvax!ucbvax!JASPER.PALLADIAN.COM!dp From: dp@JASPER.PALLADIAN.COM (Jeffrey Del Papa) Newsgroups: comp.os.vms Subject: Protected access to data files Message-ID: <870731023558.2.DP@BANFF.PALLADIAN.COM> Date: Fri, 31-Jul-87 02:35:00 EDT Article-I.D.: BANFF.870731023558.2.DP Posted: Fri Jul 31 02:35:00 1987 Date-Received: Fri, 7-Aug-87 01:20:51 EDT References: <870728214511.00l@Sds.Sdsc.Edu> Sender: daemon@ucbvax.BERKELEY.EDU Reply-To: Jeffrey Del Papa Distribution: world Organization: The ARPA Internet Lines: 49 Date: Tue, 28 Jul 87 21:45:09 GMT From: oakley%36975%1029%astro.span@Sdsc-Sds.Arpa It would be desirable if non-privileged programmers could control access to their data files through the programs that they write. An "end-user" could only access the data through the program - not DCL or a program that the end-user might write. A solution to this problem should NOT require the system manager to install the non-privileged programmers image. I have been thinking about how to provide this capability and have some ideas. But I heard a rumor the other day that DEC was going to provide this capability in a future release. The capability would involve adding another kind of ACE. I attended several futures sessions at Nashville, but never heard of this. Has anyone heard of this capability being provided? Honeywell Multics (which has been abandoned) had this feature. The approach I have tried involves a pair of user-written system services that can be called from an application program. One system service is used to change the process uic to that of the uic of the image file. The second system service would restore the process uic to what it was originally. A run-down handler and control-C and control-Y handlers are also provided so that the end-user could not escape to DCL with the wrong uic. I have observed that VMS performs a protection check when a file is opened, not when information in the file is read/written/updated/deleted. Thus it would only be necessary to change the process uic to open the file. The process uic could be restored after the file is open. Does anyone have any ideas or see any problems with this approach? Has anyone ever done this, or is there a better solution? Thanks! how do you protect the system services? (wsince you don't want to install the image...] Mark Oakley Battelle Memorial Institute (614) 424-7154 ARPAnet: oakley%36975%1029%astro.span@sdsc-sds.ARPA (I know this is a deadfully long address. We hope to become an ARPAnet node in the near future.)