From: HENRY::IN%"OZ%wiscpsl.bitnet%wiscvm.wisc.edu%csnet-relay.CSNET%relay.cs.net@RCA.COM" 3-OCT-1987 02:58 To: EVERHART%ARISIA%RCA.COM@csnet-relay.csnet Subj: RE: Finger > As a result of the security bug found in Finger, I proposed a few weeks > ago a temporary patch to prevent Finger from reading FINGER.PLN with > privilege. > > ... I'm sending this direct in case it's not worth posting to INFO-VAX. You can post it if it proves useful (or if it's wrong and you want to publicly embarrass me). The SYS$CHECK_ACCESS system service would be ideal for this, I think. It checks if a given user can access a given object (file). I think SYS$CHECK_ACCESS takes into account identifiers granted to the user, as well as UIC. You might experiment with it and make sure it really works as I expect it does. Here's an example of a FORTRAN function that calls SYS$CHECK_ACCESS: integer function CHECK_PLN(USER,DEV,DIR) include '($ACLDEF)' include '($ARMDEF)' include '($CHPDEF)' character*(*) USER ! username character*(*) DEV,DIR ! default device and directory record /ITMLST3/ ITMLST(2) ITMLST(1).ITMCOD=CHP$_ACCESS ITMLST(1).BUFLEN=4 ITMLST(1).BUFADR=%loc(ARM$M_READ) ITMLST(2).ITMCOD=0 CHECK_PLN=SYS$CHECK_ACCESS(ACL$C_FILE,DEV//DIR//'FINGER.PLN', 1 USER,ITMLST) RETURN END