PHULVER%OCVAXA@VB.CC.CMU.EDU (Barron Hulver x8290) (12/02/87)
Just a tidbit of information for anyone using the callable EDT interface. If the program will ever be an installed image with privileges (SYSPRV, BYPASS), this is not the way to go. A user will be able to drop into the editor, then INCLUDE any text file on the system. In this case you do want to use the LIB$SPAWN feature. ...Barron Hulver (216) 775-8290 postmaster Oberlin College, Oberlin, OH 44074 phulver % ocvaxa @ cmccvb (bitnet) phulver % ocvaxa @ vb.cc.cmu.edu (arpanet or csnet) ocvaxa::phulver (ccnet) phulver % ocvaxa % cmccvb @ uk.ac.rl (janet to bitnet) phulver % ocvaxa % vb.cc.cmu.edu @ uk.ac.ucl.cs (janet to arpanet) !ihnp4!oberlin!ocvaxa!phulver (uucp) (you can send mail to postmaster instead of phulver)
lawrenc@nvanbc.UUCP (12/03/87)
In article <8712020650.AA10361@ucbvax.Berkeley.EDU> PHULVER%OCVAXA@VB.CC.CMU.EDU (Barron Hulver x8290) writes: >Just a tidbit of information for anyone using the callable >EDT interface. If the program will ever be an installed image >with privileges (SYSPRV, BYPASS), this is not the way to go. > >A user will be able to drop into the editor, then INCLUDE >any text file on the system. > >In this case you do want to use the LIB$SPAWN feature. > >...Barron Hulver (216) 775-8290 ... > (you can send mail to postmaster instead of phulver) This may is true, however if its important to you then just turn off any priv's you don't need first and turn then back on when you return from EDT (or TPU or DTR or any other callable utility.) Don't cripple your system by doing unecessary LIB$SPAWN's just because you are running a program with installed priv's. Something we do here fairly frequently is to disable all privileges when you start running a program and then only turn them on during the operation you need them for. This allows a program to have a /OUT= qualifier and BYPASS but not let the user write over SYSUAF.DAT since we don't turn BYPASS on except for the one time we use it. -- ------------------------------------------------------------------------------ UUCP: {ihpn4!alberta,uw-beaver}!ubc-vision!van-bc!nvanbc!lawrence SNAIL: 733 Sylvan Ave., North Vancouver, B.C., Canada, V7R 2E8 PHONE: 1-604-736-9241 (09:00-17:00 PST) 1-604-420-9518 (after 17:00 PST)
jeh@crash.UUCP (12/04/87)
In article <8712020650.AA10361@ucbvax.Berkeley.EDU> PHULVER%OCVAXA@VB.CC.CMU.EDU (Barron Hulver x8290) writes: >Just a tidbit of information for anyone using the callable >EDT interface. If the program will ever be an installed image >with privileges (SYSPRV, BYPASS), this is not the way to go. >A user will be able to drop into the editor, then INCLUDE >any text file on the system. >In this case you do want to use the LIB$SPAWN feature. This point is well taken, but the moral is to code programs that will be installed with privs correctly rather than to avoid use of callable EDT. Any program to be installed with privs should begin by turning the enhanced privs OFF, then turn them on just before they're needed, and turn them off again immediately afterwards. For instance, if you're writing a mailer that needs to access files via BYPASS privilege, you turn on BYPASS only when accessing those files (SYSUAF, users' mail files, etc.), and turn it off again as soon as the file is open. You don't leave it on, for instance, during the `prepared file to include?' sequence... Also, be careful about logical name translations -- a program accessing files via enhanced privs should only use `trusted' logical names (system name table, exec mode, etc.). With these caveats, one can write enhanced-priv programs and still safely use things like callable EDT.
kvc@nrcvax.UUCP (Kevin Carosso) (12/04/87)
In article <8712020650.AA10361@ucbvax.Berkeley.EDU> PHULVER%OCVAXA@VB.CC.CMU.EDU (Barron Hulver x8290) writes: >Just a tidbit of information for anyone using the callable >EDT interface. If the program will ever be an installed image >with privileges (SYSPRV, BYPASS), this is not the way to go. > >A user will be able to drop into the editor, then INCLUDE >any text file on the system. > >In this case you do want to use the LIB$SPAWN feature. I think the proper way to go is that any program which is going to be installed with amplified privileges must use those privileges wisely. You should disable your amplified privileges except for those sections of code which require them. Alternately, if you think you need the privs enabled nearly all the time (dubious) then you should disable them before your EDT call and reenable after. MAIL is an example of a utility which is installed with amplified privileges but which enables them only when necessary. MAIL uses the callable editor interface but privs are never enabled at that time. For example, if you need SYSPRV to access a file then you should disable SYSPRV at the outset, then enable SYSPRV just before your file open and disable it just after. Note that if you have amplified image privileges, those privileges are inherited by the process created with LIB$SPAWN.