[comp.os.vms] Authorization ACL's

pung@ornl-ncc ("M. S. Pung") (11/13/87)

Hi,

	I have been working with the ACL system services in an attempt
	to determine if a given system has AUDIT/ALARMS set on the
	AUTHORIZE file (Sysuaf.dat).

	This information is easily obtained in DCL by a $SHOW AUDIT
	command.  Is there any way to get this information via a system
	service.  In particular, I have tried the "Sys$check_access" system
	service but have not had any luck.

	If I specify the following:
		object type = "FILE"
		object name = "SYS$SYSTEM:SYSUAF.DAT"
		username    = "SYSTEM"
		item code 1 = CHP$_ALARMNAME
		item code 2 = CHP$_AUDITNAME

	I correctly get a return status of SS$_NORMAL, however, the
	values returned in the RETLENADR field are 0 which according to
	the manual means that there are no audit/alarms set on the file.
	Note: Yes, I know positively that there are audits/alarms on the file.

	Am I missing something, or are the "AUTHORIZATION" alarms not really
	ACL's on the Sysuaf.dat file ?

	One other thing, the manual mentions "hidden" ACL's and some flags
	that you can set to specify these, but I do not see how they get
	integrated into the item list or the system service...

	Has anybody used system services to tell if "AUTHORIZATION" alarms
	and audits are enabled???


	P.S. I noticed that the command  $SHOW ACL SYS$SYSTEM:SYSUAF.DAT yields
	     the same "SYSTEM-W-ACLEMPTY, access control list is empty" message.


---------------------------------------------------------------------------

	My test FORTRAN program is as follows:


	Program test

	Implicit none
	Include '($acldef)'					! get acl defs
	Include '($chpdef)'					! get chp defs
	Include '($psldef)'					! get psl defs

	Integer*4	Sys$check_access			! define sys srv
	Integer*2	dummy					! not needed
	Integer*4	fstat					! status
	Integer*4	alarm_set				! 0=no,?=yes
	Integer*4	audit_set				! 0=no,?=yes
	Character*64	alarm_buffer				! buffer to put
	Character*64	audit_buffer				! buffer to put


	Structure	/chp_itmlst/
	  Union
	    Map
	      Integer*2 chp_buflen
	      Integer*2 chp_itemcode
	      Integer*4 chp_bufadr
	      Integer*4 chp_retlenadr
	    Endmap
	    Map
	      Integer*4 chp_endlist
	    Endmap
	  Endunion
	Endstructure

	Record /chp_itmlst/ chp_list(4)



	chp_list(1).chp_buflen    = 64
	chp_list(1).chp_itemcode  = CHP$_ALARMNAME
	chp_list(1).chp_bufadr    = %loc (alarm_buffer)
	chp_list(1).chp_retlenadr = %loc (alarm_set)

	chp_list(2).chp_buflen    = 64
	chp_list(2).chp_itemcode  = CHP$_AUDITNAME
	chp_list(2).chp_bufadr    = %loc (audit_buffer)
	chp_list(2).chp_retlenadr = %loc (audit_set)

	chp_list(3).chp_buflen    = 1
	chp_list(3).chp_itemcode  = CHP$_ACMODE
	chp_list(3).chp_bufadr    = %loc (psl$c_super)
	chp_list(3).chp_retlenadr = %loc (dummy)

	chp_list(4).chp_endlist   = 0

	

	fstat = Sys$check_access (acl$c_file, 'sys$system:sysuaf.dat',
	1			  'system', chp_list)
	Call lib$signal (%val (fstat))

	type *,'Alarm set = ',alarm_set
	type *,'Audit set = ',audit_set

	type *,'Alarm buffer = ',alarm_buffer
	type *,'Audit buffer = ',audit_buffer



	end
---------------------------------------------------------------------------




	Any help would be appreciated,

	|------------------------------------------------------------------|
	|          Mike Pung               |	   (615) 574-8082          |
	|     Oak Ridge National Lab       |  Pung%ornl-ncc@ornl-msr.arpa  |
	|  Martin Marietta Energy Systems  |        192.12.68.201	   |
	|------------------------------------------------------------------etc.
H2JO

gil@icus.UUCP (11/18/87)

In article <8711160549.AA10112@ucbvax.Berkeley.EDU> "M. S. Pung" <pung@ornl-ncc> writes:
>
>
>Hi,
>
>	I have been working with the ACL system services in an attempt
>	to determine if a given system has AUDIT/ALARMS set on the
>	AUTHORIZE file (Sysuaf.dat).
>
>	This information is easily obtained in DCL by a $SHOW AUDIT
>	command.  Is there any way to get this information via a system
>	service.  In particular, I have tried the "Sys$check_access" system
>	service but have not had any luck.
>
>	If I specify the following:

         [Some info about SYS$CHECK_ACCESS follows]
>
>	I correctly get a return status of SS$_NORMAL, however, the
>	values returned in the RETLENADR field are 0 which according to
>	the manual means that there are no audit/alarms set on the file.
>	Note: Yes, I know positively that there are audits/alarms on the file.
>
>	Am I missing something, or are the "AUTHORIZATION" alarms not really
>	ACL's on the Sysuaf.dat file ?

(No flames please, if I'm not totally correct)  I do believe that authorization
ACL's are done by AUTHORIZE, since those ACLs log events which are performed
ON the SYSUAF.DAT file (such as user added or modified, fields modified,
password changes by users, etc.  File access ACLs, which are what you are
checking, do not apply in this instance since they only log certain types
of access upon a file.

>
>	One other thing, the manual mentions "hidden" ACL's and some flags
>	that you can set to specify these, but I do not see how they get
>	integrated into the item list or the system service...
>

I read about this once in a MicroVMS manual, and I believe it is part of the
VMS 4.4(+) manuals.  I never used them, but it seems that you have to be
careful of this type of ACL since you must use your own application program
to delete the ACL if necessary, since I don't believe any of the VMS utilities
recognize them.

>	Has anybody used system services to tell if "AUTHORIZATION" alarms
>	and audits are enabled???
>

I haven't, but I'm sure its possible.  Unfortunately, I don't have the VMS
manuals at my disposal at the moment.  There is a section in the System
Services manual on security-related calls.  Usually, if they don't touch
on the subject there, you have to go through the Fiche to VMS and find out
the right system location to check for that stuff.  I can't imagine, though,
that something like that isn't possible with one of the services.  Check
the ACL routines.

I realize that I should probably post this as a separate news article, but
while someone's on the subject of seemingly "impossible" things, has anyone
found a system service or combination of QIOs or something (?) that will
allow an application program to check what port of a DECserver a particular
line is attached to?  I know using LAT-plus, you can check this with LATCP.
If anyone has this information, I'm sure that we'd all like to hear about it.


------------------------------------------------------------------------------
Gil Kloepfer, Jr.                                         USENET:  ...icus!gil
ICUS Computer Group, Systems Development
P.O. Box 1     Islip Terrace, New York  11752
------------------------------------------------------------------------------