MCGUIRE@GRIN2.BITNET (08/03/87)
> Date: 30 Jul 87 06:22:32 EDT > From: *Hobbit* <AWalker@RED.RUTGERS.EDU> > Subject: spawned privs > > For testing things in an environment where it can't "grab" any extra > privileges, copying the CUR to the AUTH mask of the spawned process is the > quite corrrect behavior. > > the privilege passing mechanism as it stands is a good way to reliably deny > yourself privs for a process. (Realistically, how many times a day do you really spawn a subprocess to test something with privileges denied? I mean, either you or an associate has written the code, and you _know_ that it doesn't elevate privs, or you're testing code you don't have control over--and your testing won't tell you if it _does_ elevate privs when they are available!) There are two common reasons to spawn, each of which actually has virtually opposing privilege copy requirements. 1. I spawn many, many times each day, to do one operation or another without losing my context. For these operations what I really want is a separate process that behaves more or less as if it was created from scratch. It annoys me that my symbols, logical names, etc. are copied but my privilege masks are not preserved. The specific annoyance is that I'll have changed my privs and then I gotta go to another terminal just because I can't turn on an authorized priv. No programmer on our staff has ever asked, `how can I create a subprocess that has no privileges?' The question I get from every new programmer very early on is, `hey, how come I can't turn on my privileges in the subprocess? I was able to do it yesterday!' or `hey, how come BYPASS stayed on when I reset my privileges to normal? I just blew something away because I thought I just turned off all privs!' (The second complaint is a natural side-effect of the symbol we've defined for programmers that does SET PROC/PRIV='F$GETJPI("","AUTHPRIV")'.) 2. Applications that are installed with privs and need a subprocess for some reason (aside from providing a convenient SPAWN, which comes under category 1) certainly ought to have complete control over the environment of the subprocess, including privs. Of course, under the current setup, it does have control. Often, it's going to call $CREPRC directly anyway, and specify exactly what privs it wants. I think everyone would be satisfied if LIB$SPAWN had an _option_ to create the subprocess by $CREPRC'ing with the parent's AUTHPRIV as the initial subprocess privs, then used the same interface with DCL that it now uses to copy symbols, etc., to set CURPRIV to the parent's CURPRIV. ---- Ed McGuire, Systems Coordinator, Grinnell College, MCGUIRE@GRIN2.BITNET
ANK@CUNYVMS1.BITNET (08/05/87)
>> A Walker writes: >> the privilege passing mechanism as it stands is a good way to reliably deny >> yourself privs for a process. >Ed writes: > No programmer on our staff has ever asked, `how can I create a subprocess > that has no privileges?' The question I get from every new programmer very > early on is, `hey, how come I can't turn on my privileges in the > subprocess? I was able to do it yesterday!' or `hey, how come BYPASS staye d > on when I reset my privileges to normal? I just blew something away becaus e > I thought I just turned off all privs!' When I initially posted the query on the spawned process privs, I was pointing to the LIB$SPAWN option... I tested the problem using GNUEmacs both as a top-process (meaning that I login and am directly in Emacs..) as well as keeping it in a fork using Kevin's modified utility. The first option would have me set the PROC/PRIVS in the LOGIN.COM early on, and in the second case, if I am in Emacs {M-x spawn-attach} or {C-x C-z} would throw me into a new-subprocess which cannot map the CUR privs. Certainly many programmers forget whether they had turned the proc's on OR off. I think Ed is right topoint off the two situations, and I think future versions should look in to the option. Anil Khullar {Ph.D. Prog in Psychology C.U.N.Y. Grad. Center. 33 W 42 St. Box 295, New York NY 10036 } BITNET:ank@cunyvms1 INTERNET:ank%cunyvms1.BITNET@wiscvm.edu ========================================================================== ON THE SEVENTH DAY GOD RESTED AND WATCHED CELTICS PLAY AT THE GARDEN ========================================================================== [DISCLAIMER: They say after Boston there is heaven, I agree; I say after LispM there is nirvana, they don't. This and other such opinion are held dearly by me, my employers and the institution I represent do not necessarily hold that view. I am sole culprit of such fantasies. No living being is responsible, however unsolicited support is welcome]