Path: utzoo!utgpu!water!watmath!clyde!bellcore!rutgers!ucsd!ucbvax!M5.SDSC.EDU!gkn
From: gkn@M5.SDSC.EDU (Gerard K. Newman)
Newsgroups: comp.os.vms
Subject: RE:  Undocumented priv bits...
Message-ID: <880716212445.2360009b@M5.Sdsc.Edu>
Date: 16 Jul 88 21:24:45 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 53


	From:	 XRJJM%CSDR.SPAN@STAR.STANFORD.EDU (John McMahon, STX/COBE (x4333))
	Subject: Undocumented priv bits...
	Date:	 Tue 12 Jul 88 05:33:18-PDT

	***> From: "IVAX::IJAH400" <ijah400%ivax.decnet@gold.bacs.indiana.edu>
	***> 
	***> UPGRADE and DOWNGRADE are both listed in STARLET.REQ, they are bits 0 and
	***> 1 in the second privilege longword.  These are described as "may
	***> up(down)grade classification".  AUTHORIZE seems to know about these too;
	***> at least it will let you give them to a user, but it won't list them out
	***> with SHOW.
	***> 
	***> James A. Harvey
	***> ijah400@indyvax (bitnet) or ijah400%ivax.decnet@gold.bacs.indiana.edu
	***> 

	The DCL command SHOW PROC/PRIV won't let you see them (Although I think
	it used to) but the DCL Lexical F$GETJPI() will.  

	$ SET PROC/PRIV=ALL

	Issuing a Write Sys$Output F$GETJPI(0,"CURPRIV") results in a %DCL-W-TKNOVF
	(Command Element Too Long) error.  So we remove some of the privs we do
	know.

	$ SET PROC/PRIV=(NOCMKRNL,NOCMEXEC,nosysnam,nogrpnam,noallspool)

	Now issuing the Write Sys$Output F$GETJPI(0,"CURPRIV") results in all the
	rest of the known privs, plus UPGRADE and DOWNGRADE being listed.  But what
	are they used for ?  Perhaps the VMS "Secure System" package, or whatever
	it's called ?

	John McMahon
	xrjjm%scint.span@star.stanford.edu

They are privileges required to change the classification of an object when
using the non-discretionary security features of VMS.  These features are
enabled by the SYSGEN parameter CLASS_PROT.  Turning on CLASS_PROT isn't
enough; you still have to write some code to deal with the manipulation of
classification and integrity information for objects.

gkn
----------------------------------------
Internet: GKN@SDS.SDSC.EDU
Bitnet:   GKN@SDSC
Span:	  SDSC::GKN (27.1)
MFEnet:   GKN@SDS
USPS:	  Gerard K. Newman
	  San Diego Supercomputer Center
	  P.O. Box 85608
	  San Diego, CA 92138-5608
Phone:	  619.534.5076