Re: System UICs

On 6/7/2024 8:26 PM, Lawrence D'Oliveiro wrote:

On Fri, 7 Jun 2024 20:11:13 -0400, Arne Vajhøj wrote:

VMS allows multiple usernames with same UIC, but it practically
never happens.

 The point being that privilege separation is done based on UIC, not
username. For example, on *nix, a daemon might start out as root and then
call setuid(2) and friends to isolate the current process as a
nonprivileged user. The UID to use can be easily obtained by looking up a
symbolic username in the /etc/passwd file. How would you do this on VMS?

You would not do it that way on VMS.
Depending on the specific requirements you would probably
do one of:
- start daemon under a username with a minimum set of privs
   (if it just need WORLD and SYSNAM, then it get just those)
- start the daemon under an unpriviliged username and install
   executable with the minimum set of privs
- start the daemon under an unpriviliged username, don't
   install the executable with privs but let the program
   use an UWSS to do the priviliged stuff
- start daemon under a username with SETPRV privilige
   and let the program use SYS$SETPRV to turn required privs
   on and off dynamically
- start the daemon under an unpriviliged username and install
   executable with with SETPRV privilige and let the program
   use SYS$SETPRV to turn required privs on and off dynamically
So many options.
If you really want to change identity, then there are a bunch
of utilities for it SETUSER, JUMP, PERSONA etc. - I assume
that they change both username and UIC.
Arne