From: CSBVAX::MRGATE!INFO-VAX-RELAY@KL.SRI.COM@SMTP 23-JUN-1988 09:03 To: ARISIA::EVERHART Subj: Network wide identifiers Received: from RELAY.CS.NET by KL.SRI.COM with TCP; Thu, 16 Jun 88 18:55:02 PDT Received: from ge-crd.arpa by RELAY.CS.NET id aa04256; 16 Jun 88 20:25 EDT Date: 16 Jun 88 20:19 EST From: EVERHART%ARISIA.decnet@GE-CRD.ARPA Subject: Network wide identifiers To: INFO-VAX%KL.SRI.COM@RELAY.CS.NET The following is something that occurred to me lately. Anybody have anything like it in the works? Problem: "WORLD" in the context of a large DECnet is too broad. On a single machine, files available to the world are available to people on YOUR machine (and you can use ACLs to limit which of those can get at 'em). On a large DECnet, if FAL is left open, files open to world are open to EVERYBODY. I'd like to be able to have files open to large classes of people, say company employees, but not generally available to others, and I'd like that to be possible network wide. Problem is, DECnet doesn't propagate identifiers. From what I've heard thus far, phase V won't either (though this may - and I hope will - change). Proxies to thousands of users in each class aren't an answer; too hard to maintain. However, the following scenario might provide a reasonable level of functionality. 1. Suppose we have every machine on a network agree on a FEW standard identifiers. Examples: Non_Citizen Non-Employee Short_Timer Twit 2. Now, on each node, accounts have these identifiers applied where appropriate. (Most accounts would need none). Notice these identifiers are suitable for EXCLUDING access; ability to give yourself identifiers gains nothing.) 3. In SYLOGIN.COM, FAL.COM and similar places, before anything useful can be done, run an image which must be concocted. This image first obtains the originating process' PID and the node name from which the request comes. [If the node is in a local list of "untrusted nodes", it just flags all "standard identifiers" as present.] Now the image accesses (via nontransparent DECnet) a special object on the originating node, and sends the originating process information it has obtained back to this server. [If the server is unavailable, all "standard identifiers" are flagged as present.] The server obtains (via CMKRNL ?) information on which "standard identifiers" are present for the process being queried about. It sends a message back to the image that asked it telling which of the "standard identifiers" is present. NO OTHER identifiers are dealt with, to avoid general screwups. Now the image we added to sylogin.com, or FAL.com or wherever forces those identifiers into the process it's running in. CMKRNL may be needed here also. As a result, the process that came from remote file access, or set host, has in effect inherited the identifiers from the source process. These standard identifiers can now be used to set up ACLs to refine/restrict "world" file access. Because of the "untrusted node" list, a site can control further which other sites it trusts, so that sites where system management is weak or doesn't put identifiers on accounts, gets treated as totally untrusted. This looks to me like something that's workable. Anybody done it already? Or part of it? Code donations gratefully accepted! If this doesn't exist, and if DEC isn't going to do this real soon (that is, during Phase IV DECnet), I may. I'd appreciate help. Thanks Glenn Everhart Everhart%Arisia.decnet@ge-crd.arpa