Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!seismo!rutgers!ucla-cs!zen!ucbvax!mucsd.UUCP!8004SLB
From: 8004SLB@mucsd.UUCP (Sandy)
Newsgroups: comp.os.vms
Subject: Re: Checking for identifiers
Message-ID: <8708041705.AA17465@csd1.milw.wisc.edu>
Date: Tue, 4-Aug-87 12:09:10 EDT
Article-I.D.: csd1.8708041705.AA17465
Posted: Tue Aug  4 12:09:10 1987
Date-Received: Fri, 7-Aug-87 06:54:15 EDT
Sender: daemon@ucbvax.BERKELEY.EDU
Distribution: world
Organization: The ARPA Internet
Lines: 107

Here is another program that we use on our VAXCluster to restrict one of the
nodes to a given set of users. Users who are allowed to access the VAX have the
identifier ENGVAX granted to their username with authorize or a program we've
written here that allows authorized non-privileged users to grant and revoke
identifiers for which they are responsible to/from other users. In SYLOGIN, if
the current node is the one that has restrictions, this program is run. If the
user has OPER privilege or holds the ENGVAX identifier, the program exits
quietly. If not, the user is given a terse error message and logged off the
system.

This program is a bit different from a previous program in that the identifer
is checked immediately and may have been granted by a privileged program as
opposed to searching the rights data base for the identifier. To change this
program for an identifier with a name other than ENGVAX, simply change the one
line at label AIDENT:.

Here's the code:

	Sandy Berger
	Marquette University
	Computer Services Division
	Technical Services
	Milwaukee, WI

UUCP:	...!seismo!uwvax!uwmcsd1!marque!mucsd!8004slb
ARPA:	marque!mucsd!8004slb@csd1.milw.wisc.edu


---------------------------CUT HERE------------------------------------
	.TITLE	CHKPRO - TEST FOR ACCESS TO ENGINEERING VAX
;
; Written by:	Sanford L. Berger
;		Marquette University
;		Computer Services Division
;		Technical Services
;		Milwaukee, WI
;
; This program checks to see if the user currently holds the given identifier.
; If he does the program simply exits. If not, a message is given and the
; user is logged out. Users with OPER privilege are exempt from the
; identifier check.
;
	.LIBRARY /SYS$LIBRARY:LIB/
	$ACEDEF
	$ARMDEF
	$CHPDEF
	$JPIDEF
	$PRVDEF
	.PSECT	DATA,LONG,NOEXE
BMES:	.ASCID	/You are not allowed to access this VAX./
;
; Don't use the user's privileges in the $CHKPRO service.
;
PRVS:	.QUAD	0
;
; Following is the ACL which we use in $CHKPRO.
;
ACL:	.BYTE	12			; length of ACE
	.BYTE	ACE$C_KEYID		; type of ACE
	.WORD	0			; ACE flags
	.LONG	ACE$M_READ		; ACE access flags
IDENT:	.BLKL	1			; identifier to check for
;
ACCESS:	.LONG	ARM$M_READ		; longword for read access
;
; Next is the item list for $CHKPRO.
;
ITMLST:	.WORD	4
	.WORD	CHP$_ACCESS		; read access
	.ADDRESS ACCESS
	.LONG	0
	.WORD	8
	.WORD	CHP$_PRIV		; no privileges
	.ADDRESS PRVS
	.LONG	0                                               
ACLEN:	.WORD	12
	.WORD	CHP$_ACL		; use our generated ACL
	.ADDRESS ACL
	.LONG	0
	.LONG	CHP$_END		; end of item list
;
CPRIV:	.BLKQ	1			; user's current privileges
;
; Item list for $GETJPI to get current privileges
;
JPILST:	.WORD	8
	.WORD	JPI$_CURPRIV
	.ADDRESS CPRIV
	.LONG	0
	.LONG	0
;
; Next is the identifier we are checking for.
;
AIDENT:	.ASCID	/ENGVAX/
;
 	.PSECT	INST,LONG,NOWRT
	.ENTRY	START,^M<>
 	$GETJPIW_S ITMLST=JPILST	; get user's privileges
	BBS	#PRV$V_OPER,CPRIV,OK	; if OPER then exit
	$ASCTOID_S NAME=AIDENT,ID=IDENT	; convert identifier to binary
	$CHKPRO_S ITMLST=ITMLST		; check to see if ACL passes check
	BLBS	R0,OK			; yes, he's got the identifier, exit
 	PUSHAQ	BMES
	CALLS	#1,G^LIB$PUT_OUTPUT	; no, give him the message
	$DELPRC_S			;   and do away with him
OK:	$EXIT_S
	.END	START