1������'� PRIVDCL Documentation�-� �3� ����V���:�PRIVDCL
��,����,�Background
��H�PRIVDCL is a VMS utility which allows non-privileged users to executeH�DCL command procedures which require privileges. PRIVDCL can be obtainedK�by anonymous ftp at �%�ftp://ftp.lawrence.edu/utilities.���>�
Unlike executable images, DCL command procedures cannot be @�"installed". To acomplish this, PRIVDCL.EXE is G�installed with privileges and through its configuration file, regulates�E�which users can execute what commands. Commands are internal monikers�F�arbitrarily assigned to DCL command procedures. When a user is grantedJ�access to a command, a controlled, privileged subprocess is spawnedD�to execute the DCL command procedure associated with that particular/�command, including any parameters passed to it.���1�
Installing PRIVDCL
���D�Building and installing PRIVDCL is a straightforward process.
����&�- Decide on a directory location
��J�This location must be pointed to by the logical name PRIVDCL_DIR,K�defined in the system table in executive mode. It should be world reachable�N�with EXECUTE access, but not world readable or writeable. I recommend)�SYS$COMMON:[SYSMGR.PRIVDCL].
����E�
$ define/sys/exec privdcl_dir dev:[dir] !Requires SYSNAM��� ����
- Unpack the zip archive
��M�This does not have to be in the location in the previous step, although doing�3�so will obviate the need to move files there later.��� ���1�
- Execute the BUILD.COM procedure.
���$ @build��� ��L�
- Move the following files to the location chosen as PRIVDCL_DIR:��
�
�5�- PRIVDCL.EXE -- the executable image
�>�- PRIVDCL.DAT -- the sample configuration file
K�- PRIVDCL.COM -- the command wrapper or shell
�9�- PRIVDCL_STARTUP.COM -- the startup file
���
��� ��K�
- Edit the configuration file in PRIVDCL_DIR to add a test case.���
L�See the section configuring PRIVDCL for details��about the syntax.��� ���Y�
- Install PRIVDCL.EXE with CMEXEC and SYSPRV privileges.
���A�You must have CMKRNL privilege to perform this step!
����C�
$ install privdcl_dir:privdcl.exe/priv=(cmexec,sysprv)��� ��-�
- Create a symbol to execute the image.
���J�The image must be executed as a foreign command. You can create the symbolG�for this in one of two ways. You can create a generic symbol for�H�the image itself, or you can create individual symbols for each command,G�or a combination of both where the generic symbol is used in the�0�definition of specific symbols. For example:
��
�:�$ privdcl :== $privdcl_dir:privdcl !Generic symbol
7�$ cmd :== $privdcl_dir:privdcl cmd !Specific symbol
�F�$ cmd == "''privdcl' cmd" !Specific symbol using the generic��one
���
���R�The last case is particiularily useful when users create the symbolsH�for themselves in their personal LOGIN.COM files. Note that theL�generic symbol can be used alone on the DCL command line, e.g. $ privdcl0�cmd, instead of the simpler $ cmd.�� �����
- Test the results!
���G�
- Place PRIVDCL_STARTUP.COM in a suitable location, make any�B�edits you deem necessary and reference it from your system startup��procedures.
����
���J�If you encounter specific problems that you cannot resolve, please sendK�them by e-mail to postmaster@lawrence.edu -- you should receive an�G�answer within relatively quickly, but since we offer no formal support,�"�we offer no formal commitment!
��8�Configuring PRIVDCL
��H�The configuration file, PRIVDCL.DAT, is arranged inG�stanzas of four lines, with each stanza separated by at least one blank�K�line. The blank line(s) can also be comments, signified with an exclamation�I�point (!) in column one. The four lines of each stanza must always appear�+�in the same order. They are as follows:
�������- The name of the command
�N�This name is used to invoke the desired function and is entered 9�as the first parameter to PRIVDCL itself.��� ��>�
- The DCL command used to execute named command
Q�Include the at sign for command files, e.g. @dev:[dir]cmd.�F�This command can also include parameters. Note, that since the spawnedJ�subprocess is executed with a small DCL "shell" one parameter isM�lost. Therefore, the command procedure itself will have only seven parameters���available to it. �����
- Required privileges
�Y�A list of all of the necessary privileges for the process to execute. These�L�privileges will be granted in addition to the already set privileges for theJ�user, thus you should not normally have to worry about TMPMBX and��NETMBX. ���?�
- Users, listed as usernames, UICs, or rights identifiers
�T�An asterisk can be used to wildcard for all usernames, or parts of theI�UIC. UICs can in alphanumeric or numeric form. UICs without two parts are�H�assumed to be usernames. Rights identifiers need to be enclosed in angle@�brackets -- they cannot be wildcarded (why bother?). ��
���G�Elements of the last two lines, those for privileges and users, must�I�be separated by white space and/or commas. The maximum number of elements�F�on these lines is defined internally; the default is ten (10). None ofJ�the lines can extend beyond eighty (80) characters. A sample configuration)�file then, might look something like:
�����PASSWORD���@SYS$MANAGER:CHANGE_PASSWORD��SYSPRV6�SMITH [ENGNR,*] [10,*] <TECH_SUPPORT>
��*�How It Works
��K�PRIVDCL takes several precautions to avoid the obvious security�K�risks. First, an outline of what is done in what order will help to explain���some of the precautions.
����&�- Disable CTRL/Y ASTs.
��'�- All user mode ASTs are blocked.
�W�This ensures that the user cannot interrupt the image, e.g. using SYS$FORCEX()�I�from another process and retain the privileges set in the next step. ���M�- The process permanent privileges are altered since the spawned subprocess�N�will inherit the PROCPRIV privilege mask as its own PROCPRIVK�and CURPRIV mask. Since the CURPRIV mask will become the�M�AUTHPRIV mask of the subprocess, privileges in the IMAGPRIV�N�mask but not set in the previous part are temporarily turned off. This avoidsR�the subprocess from receiving the privileges of the installed PRIVDCL.EXET�image. The process permanent privileges are modified through a sys$cmexec()
�call.
��@�- LIB$SPAWN() is called with the following flags:
H�CLI$M_NOCLISYM so that no symbols are inherited from the parent��process
�E�CLI$M_NOLOGNAM so that no process logicals are inherited
�>�CLI$M_TRUSTED to allow use from captive accounts ��G�- When the subprocess returns, set the original privileges back.
���#�- Enable AST delivery again.
���&�- Enable CTRL/Y again.
��
���?�Before the subprocess is spawned, a log entry is written to �H�PRIVDCL_DIR:PRIVDCL.LOG (PRIVDCL_STARTUP.COM creates a
�new version).���F�When the subprocess is spawned, the DCL command and its parameters areO�all passed to PRIVDCL.COM from which other elements can be controlled.�H�In the shipped version, a small set of logical names is purposely set toG�avoid any attempts to have data written to other locations, and the job�G�logical name table is removed effectively leaving only group and system�I�table logical names to affect the subprocess. Further edits can eliminate�K�or re-order logical name translation. Finally, the DCL command is executed.�L�As mentioned above, this approach results in an inability to pass the normal=�complement of eight (8) parameters to a DCL command file.
���S�It should be noted that since PRIVDCL_DIR is assumed to be the location�A�of PRIVDCL.COM, the logical name PRIVDCL_DIR is�K�translated from the system logical name table, and only in executive mode. �=�The logical name is not passed "as is" to the CLI.
�����
�@� �| PRIVDCL version 2.0 | $� 31-Jul-1997 | ��
���
���� �Inquires to Lawrence University 7�Postmaster�
�
������