From: CSBVAX::MRGATE!@KL.SRI.Com,@wiscvm.wisc.edu:AWPSYS@RITVAX.BITNET@SMTP 13-AUG-1987 02:05 To: EVERHART Subj: RE: Mail and privs Received: from wiscvm.wisc.edu by KL.SRI.COM with TCP; Wed 12 Aug 87 16:35:19-PDT Received: from RITVAX.BITNET by wiscvm.wisc.edu ; Wed, 12 Aug 87 18:35:24 CDT Date: 12 AUG 87 19:34-EDT From: AWPSYS%RITVAX.BITNET@wiscvm.wisc.edu To: INFO-VAX @ KL.SRI.COM Subject: RE: Mail and privs >1) Have your system manager install your TPU$CALLUSER routine by logging in > as SYSTEM and issuing the command: > > $ RUN SYS$SYSTEM:INSTALL > INSTALL> filespec > INSTALL> ^Z > $ > > where "filespec" is the *full* file specification for your calluser image. > INSTALL assumes SYS$LIBRARY: for the directory, which is why you need the > full filespec if your file is elsewhere. WARNING: If you are going to allow your own code to run privileged then you need to take several VERY important steps to insure that the code (and hence your system) remains secure. 1) Use $SETPRV to disable all elevated privs before executing any code that: a) Creates or reads files or accesses any "protectable" object. (Logical name tables, Job controller Queues, global sections...) b) Does input or output to SYS$OUTPUT. c) Creates a process via $CREPRC or LIB$SPAWN 2) If you DO want some code to execute privleged I/O (I.E with SYSPRV enabled), then only allow executive mode logical names to be translated when opening files. This means coding a user-open procedure in most high level languages to set the RMS FAB field FAB$B_ACMODE to EXEC mode on open. Failure to observe the above precautions when writing ANY code that is installed with elevated privilege can leave a locomotive sized security hole in your system. Andrew W. Potter Rochester Institute of Technology