1' PRIVDCL Documentation- 3 V:

PRIVDCL

,
K I 5 : 
Background InstallationConfigurationHow It Works
,

Background

H

PRIVDCL is a VMS utility which allows non-privileged users to executeHDCL command procedures which require privileges. PRIVDCL can be obtainedKby anonymous ftp at %ftp://ftp.lawrence.edu/utilities.>

Unlike executable images, DCL command procedures cannot be @"installed". To acomplish this, PRIVDCL.EXE is Ginstalled with privileges and through its configuration file, regulatesEwhich users can execute what commands. Commands are internal monikersFarbitrarily assigned to DCL command procedures. When a user is grantedJaccess to a command, a controlled, privileged subprocess is spawnedDto execute the DCL command procedure associated with that particular/command, including any parameters passed to it.1

Installing PRIVDCL

D

Building and installing PRIVDCL is a straightforward process.


    &
  1. Decide on a directory location
    JThis location must be pointed to by the logical name PRIVDCL_DIR,Kdefined in the system table in executive mode. It should be world reachableNwith EXECUTE access, but not world readable or writeable. I recommend)SYS$COMMON:[SYSMGR.PRIVDCL].
    
    E
    $ define/sys/exec privdcl_dir dev:[dir] !Requires SYSNAM
  2. 

  3. Unpack the zip archive
    MThis does not have to be in the location in the previous step, although doing3so will obviate the need to move files there later.
  4. 1

  5. Execute the BUILD.COM procedure.
    $ @build
  6. L

  7. Move the following files to the location chosen as PRIVDCL_DIR:
      5
    1. PRIVDCL.EXE -- the executable image
    2. >
    3. PRIVDCL.DAT -- the sample configuration file
    4. K
    5. PRIVDCL.COM -- the command wrapper or shell
    6. 9
    7. PRIVDCL_STARTUP.COM -- the startup file
    8. 
    
  8. K

  9. Edit the configuration file in PRIVDCL_DIR to add a test case.
    LSee the section configuring PRIVDCL for detailsabout the syntax.
  10. Y

  11. Install PRIVDCL.EXE with CMEXEC and SYSPRV privileges.
    AYou must have CMKRNL privilege to perform this step!
    
    C
    $ install privdcl_dir:privdcl.exe/priv=(cmexec,sysprv)
  12. -

  13. Create a symbol to execute the image.
    JThe image must be executed as a foreign command. You can create the symbolGfor this in one of two ways. You can create a generic symbol forHthe image itself, or you can create individual symbols for each command,Gor a combination of both where the generic symbol is used in the0definition of specific symbols. For example:

    :$ privdcl :== $privdcl_dir:privdcl !Generic symbol
    7$ cmd :== $privdcl_dir:privdcl cmd !Specific symbol
    F$ cmd == "''privdcl' cmd" !Specific symbol using the genericone
    
    
    RThe last case is particiularily useful when users create the symbolsHfor themselves in their personal LOGIN.COM files. Note that theLgeneric symbol can be used alone on the DCL command line, e.g. $ privdcl0cmd, instead of the simpler $ cmd.
  14. 

  15. Test the results!
  16. G

  17. Place PRIVDCL_STARTUP.COM in a suitable location, make anyBedits you deem necessary and reference it from your system startupprocedures.
  18. 
J

If you encounter specific problems that you cannot resolve, please sendKthem by e-mail to postmaster@lawrence.edu -- you should receive anGanswer within relatively quickly, but since we offer no formal support,"we offer no formal commitment!

8

Configuring PRIVDCL

H

The configuration file, PRIVDCL.DAT, is arranged inGstanzas of four lines, with each stanza separated by at least one blankKline. The blank line(s) can also be comments, signified with an exclamationIpoint (!) in column one. The four lines of each stanza must always appear+in the same order. They are as follows:


    
  1. The name of the command
    NThis name is used to invoke the desired function and is entered 9as the first parameter to PRIVDCL itself.
  2. >

  3. The DCL command used to execute named command
    QInclude the at sign for command files, e.g. @dev:[dir]cmd.FThis command can also include parameters. Note, that since the spawnedJsubprocess is executed with a small DCL "shell" one parameter isMlost. Therefore, the command procedure itself will have only seven parametersavailable to it.
  4. 

  5. Required privileges
    YA list of all of the necessary privileges for the process to execute. TheseLprivileges will be granted in addition to the already set privileges for theJuser, thus you should not normally have to worry about TMPMBX andNETMBX.
  6. ?

  7. Users, listed as usernames, UICs, or rights identifiers
    TAn asterisk can be used to wildcard for all usernames, or parts of theIUIC. UICs can in alphanumeric or numeric form. UICs without two parts areHassumed to be usernames. Rights identifiers need to be enclosed in angle@brackets -- they cannot be wildcarded (why bother?).
  8. 
G

Elements of the last two lines, those for privileges and users, mustIbe separated by white space and/or commas. The maximum number of elementsFon these lines is defined internally; the default is ten (10). None ofJthe lines can extend beyond eighty (80) characters. A sample configuration)file then, might look something like:


PASSWORD@SYS$MANAGER:CHANGE_PASSWORDSYSPRV6SMITH [ENGNR,*] [10,*] <TECH_SUPPORT>
*

How It Works

K

PRIVDCL takes several precautions to avoid the obvious securityKrisks. First, an outline of what is done in what order will help to explainsome of the precautions.

?

Before the subprocess is spawned, a log entry is written to HPRIVDCL_DIR:PRIVDCL.LOG (PRIVDCL_STARTUP.COM creates a new version).FWhen the subprocess is spawned, the DCL command and its parameters areOall passed to PRIVDCL.COM from which other elements can be controlled.HIn the shipped version, a small set of logical names is purposely set toGavoid any attempts to have data written to other locations, and the jobGlogical name table is removed effectively leaving only group and systemItable logical names to affect the subprocess. Further edits can eliminateKor re-order logical name translation. Finally, the DCL command is executed.LAs mentioned above, this approach results in an inability to pass the normal=complement of eight (8) parameters to a DCL command file.

S

It should be noted that since PRIVDCL_DIR is assumed to be the locationAof PRIVDCL.COM, the logical name PRIVDCL_DIR isKtranslated from the system logical name table, and only in executive mode. =The logical name is not passed "as is" to the CLI.




@$ 
PRIVDCL version 2.031-Jul-1997

Inquires to Lawrence University 7Postmaster