[0001]
[0002]
[0003]
[0004]
[0005]
[0006]
[0007]
[0008]
[0009]
[0010]
[0011]
[0012]
[0013]
[0014]
[0015]
[0016]
[0017]
[0018]
[0019]
[0020]
[0021]
[0022]
[0023]
[0024]
[0025]
[0026]
[0027]
[0028]
[0029]
[0030]
[0031]
[0032]
[0033]
[0034]
[0035]
[0036]
[0037]
[0038]
[0039]
[0040]
[0041]
[0042]
[0043]
[0044]
[0045]
[0046]
[0047]
[0048]
[0049]
[0050]
[0051]
[0052]
[0053]
[0054]
[0055]
[0056]
[0057]
[0058]
[0059]
[0060]
[0061]
[0062]
[0063]
[0064]
[0065]
[0066]
[0067]
[0068]
[0069]
[0070]
[0071]
[0072]
[0073]
[0074]
[0075]
[0076]
[0077]
[0078]
[0079]
[0080]
[0081]
[0082]
[0083]
[0084]
[0085]
[0086]
[0087]
[0088]
[0089]
[0090]
[0091]
[0092]
[0093]
[0094]
[0095]
[0096]
[0097]
[0098]
[0099]
[0100]
[0101]
[0102]
[0103]
[0104]
[0105]
[0106]
[0107]
[0108]
[0109]
[0110]
[0111]
[0112]
[0113]
[0114]
[0115]
[0116]
[0117]
[0118]
[0119]
[0120]
[0121]
[0122]
[0123]
[0124]
[0125]
[0126]
[0127]
[0128]
[0129]
[0130]
[0131]
[0132]
[0133]
[0134]
[0135]
[0136]
[0137]
[0138]
[0139]
[0140]
[0141]
[0142]
[0143]
[0144]
[0145]
[0146]
[0147]
[0148]
[0149]
[0150]
[0151]
[0152]
[0153]
[0154]
[0155]
[0156]
[0157]
[0158]
[0159]
[0160]
[0161]
[0162]
[0163]
[0164]
[0165]
[0166]
[0167]
[0168]
[0169]
[0170]
[0171]
[0172]
[0173]
[0174]
[0175]
[0176]
[0177]
[0178]
[0179]
[0180]
[0181]
[0182]
[0183]
[0184]
[0185]
[0186]
[0187]
[0188]
[0189]
[0190]
[0191]
[0192]
[0193]
[0194]
[0195]
[0196]
[0197]
[0198]
[0199]
[0200]
[0201]
[0202]
[0203]
[0204]
[0205]
[0206]
[0207]
[0208]
[0209]
[0210]
[0211]
[0212]
[0213]
[0214]
[0215]
[0216]
[0217]
[0218]
[0219]
[0220]
[0221]
[0222]
[0223]
[0224]
[0225]
[0226]
[0227]
[0228]
[0229]
[0230]
[0231]
[0232]
[0233]
[0234]
[0235]
[0236]
[0237]
[0238]
[0239]
[0240]
[0241]
[0242]
[0243]
[0244]
[0245]
[0246]
[0247]
[0248]
[0249]
[0250]
[0251]
[0252]
[0253]
[0254]
[0255]
[0256]
[0257]
[0258]
[0259]
[0260]
[0261]
[0262]
[0263]
[0264]
[0265]
[0266]
[0267]
[0268]
[0269]
[0270]
[0271]
[0272]
[0273]
[0274]
[0275]
[0276]
[0277]
[0278]
[0279]
[0280]
[0281]
[0282]
[0283]
[0284]
[0285]
[0286]
[0287]
[0288]
[0289]
[0290]
[0291]
[0292]
[0293]
[0294]
[0295]
[0296]
[0297]
[0298]
[0299]
[0300]
[0301]
[0302]
[0303]
[0304]
[0305]
[0306]
[0307]
[0308]
[0309]
[0310]
[0311]
[0312]
[0313]
[0314]
[0315]
[0316]
[0317]
[0318]
[0319]
[0320]
[0321]
[0322]
[0323]
[0324]
[0325]
[0326]
[0327]
[0328]
[0329]
[0330]
[0331]
[0332]
[0333]
[0334]
[0335]
[0336]
[0337]
[0338]
[0339]
[0340]
[0341]
[0342]
[0343]
[0344]
[0345]
[0346]
[0347]
[0348]
[0349]
[0350]
[0351]
[0352]
[0353]
[0354]
[0355]
[0356]
[0357]
[0358]
[0359]
[0360]
[0361]
[0362]
[0363]
[0364]
[0365]
[0366]
[0367]
[0368]
[0369]
[0370]
[0371]
[0372]
[0373]
[0374]
[0375]
[0376]
[0377]
[0378]
[0379]
[0380]
[0381]
[0382]
[0383]
[0384]
[0385]
[0386]
[0387]
[0388]
[0389]
[0390]
[0391]
[0392]
[0393]
[0394]
[0395]
[0396]
[0397]
[0398]
[0399]
[0400]
[0401]
[0402]
[0403]
[0404]
[0405]
[0406]
[0407]
[0408]
[0409]
[0410]
[0411]
[0412]
[0413]
[0414]
[0415]
[0416]
[0417]
[0418]
[0419]
[0420]
[0421]
[0422]
[0423]
[0424]
[0425]
[0426]
[0427]
[0428]
[0429]
[0430]
[0431]
[0432]
[0433]
[0434]
[0435]
[0436]
[0437]
[0438]
[0439]
[0440]
[0441]
[0442]
[0443]
[0444]
[0445]
[0446]
[0447]
[0448]
[0449]
[0450]
[0451]
[0452]
[0453]
[0454]
[0455]
[0456]
[0457]
[0458]
[0459]
[0460]
[0461]
[0462]
[0463]
[0464]
[0465]
[0466]
[0467]
[0468]
[0469]
[0470]
[0471]
[0472]
[0473]
[0474]
[0475]
[0476]
[0477]
[0478]
[0479]
[0480]
[0481]
[0482]
[0483]
[0484]
[0485]
[0486]
[0487]
[0488]
[0489]
[0490]
[0491]
[0492]
[0493]
[0494]
[0495]
[0496]
[0497]
[0498]
[0499]
[0500]
[0501]
[0502]
[0503]
[0504]
[0505]
[0506]
[0507]
[0508]
[0509]
[0510]
[0511]
[0512]
[0513]
[0514]
[0515]
[0516]
[0517]
[0518]
[0519]
[0520]
[0521]
[0522]
[0523]
[0524]
[0525]
[0526]
[0527]
[0528]
[0529]
[0530]
[0531]
[0532]
[0533]
[0534]
[0535]
[0536]
[0537]
[0538]
[0539]
[0540]
[0541]
[0542]
[0543]
[0544]
[0545]
[0546]
[0547]
[0548]
[0549]
[0550]
[0551]
[0552]
[0553]
[0554]
[0555]
[0556]
[0557]
[0558]
[0559]
[0560]
[0561]
[0562]
[0563]
[0564]
[0565]
[0566]
[0567]
[0568]
[0569]
[0570]
[0571]
[0572]
[0573]
[0574]
[0575]
[0576]
[0577]
[0578]
[0579]
[0580]
[0581]
[0582]
[0583]
[0584]
[0585]
[0586]
[0587]
[0588]
[0589]
[0590]
[0591]
[0592]
[0593]
[0594]
[0595]
[0596]
[0597]
[0598]
[0599]
[0600]
[0601]
[0602]
[0603]
[0604]
[0605]
[0606]
[0607]
[0608]
/*****************************************************************************/
/*
AuthAccess.c
THE GNU GENERAL PUBLIC LICENSE APPLIES DOUBLY TO ANYTHING TO DO WITH
AUTHENTICATION AND AUTHORIZATION!
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License, or any later
version.
> This package is distributed in the hope that it will be useful,
> but WITHOUT ANY WARRANTY; without even the implied warranty of
> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
Authorize access to a particular file or directory.
Enable access (via SYSPRV) appropriately to ensure access.
See AUTH.C for overall detail on the WASD authorization environment.
VERSION HISTORY
---------------
16-OCT-2020 MGD AuthAccessEnable() add ->rqPathSet.WebDavAll and
->rqPathSet.WebDavAuth
29-SEP-2020 MGD AuthAccessEnable() file access use (rqptr->WebDavRequest ||
rqptr->WhiffOfWebDav) rather than ->WebDavTaskPtr
13-JUL-2014 MGD AuthAccessCheck() add explicit check against server
account to improve reporting of underlying access
31-JUL-2007 MGD unbundled from AUTH.C
*/
/*****************************************************************************/
#ifdef WASD_VMS_V7
#undef _VMS__V6__SOURCE
#define _VMS__V6__SOURCE
#undef __VMS_VER
#define __VMS_VER 70000000
#undef __CRTL_VER
#define __CRTL_VER 70000000
#endif
/* standard C header files */
#include <ctype.h>
#include <errno.h>
#include <stdio.h>
#include <string.h>
/* VMS related header files */
#include <armdef.h>
#include <chpdef.h>
#include <descrip.h>
#include <libdef.h>
#include <prvdef.h>
#include <ssdef.h>
#include <stsdef.h>
#include <uaidef.h>
/* application related header files */
#include "wasd.h"
#define WASD_MODULE "AUTHACCESS"
#if WATCH_MOD
#define FI_NOLI WASD_MODULE, __LINE__
#else
/* in production let's keep the exact line to ourselves! */
#define FI_NOLI WASD_MODULE, 0
#endif
/******************/
/* global storage */
/******************/
/********************/
/* external storage */
/********************/
extern BOOL AuthPolicySysUafRelaxed,
AuthPolicySysUafIdentifiers,
AuthPolicySysUafWasdIdentifiers,
AuthPolicySysUafVms,
AuthSysUafEnabled,
AuthSysUafPromiscuous,
AuthVmsUserProfileEnabled,
AuthVmsUserProfileNoRule;
extern BOOL InstanceMutexHeld[];
extern int ServerPort;
extern int ToLowerCase[],
ToUpperCase[];
extern unsigned int HttpdUserProfileLength;
extern unsigned char *HttpdUserProfilePtr;
extern struct dsc$descriptor_s HttpdUserProfileDsc;
extern unsigned long AuthHttpsOnlyVmsIdentifier,
AuthNilAccessVmsIdentifier,
AuthPasswordChangeVmsIdentifier,
AuthWasdPwdVmsIdentifier,
AuthWasdHttpsVmsIdentifier,
AuthWasdReadVmsIdentifier,
AuthWasdWriteVmsIdentifier;
extern unsigned long SysPrvMask[];
extern char ErrorSanityCheck[],
SoftwareID[];
extern ACCOUNTING_STRUCT *AccountingPtr;
extern CONFIG_STRUCT Config;
extern HTTPD_PROCESS HttpdProcess;
extern MSG_STRUCT Msgs;
extern WATCH_STRUCT Watch;
/*****************************************************************************/
/*
Using sys$check_access() check file read/write access permission for the
supplied file name against the SYSUAF-authenticated user's security profile
(created by AuthVmsCreateUserProfile()). File or directory specifications can
be supplied. If the file or directory does not exist then check access to the
parent directory (in this way permission to say, create a directory may be
established). Returns SS$_NORMAL if access allowed, SS$_NOPRIV if denied, and
other RMS status codes.
*/
int AuthAccessCheck
(
REQUEST_STRUCT* rqptr,
char *FileName,
int FileNameLength,
int AccessRequired
)
{
static unsigned long Flags = 0;
static unsigned long ArmAccess;
static unsigned long ArmControlAccess = ARM$M_CONTROL;
static $DESCRIPTOR (ClassNameDsc, "FILE");
static $DESCRIPTOR (UserProfileDsc, "");
static VMS_ITEM_LIST3 ArmAccessItem [] =
{
{ sizeof(ArmAccess), CHP$_ACCESS, &ArmAccess, 0 },
{ 0, 0, 0, 0 }
};
static VMS_ITEM_LIST3 ControlAccessItem [] =
{
{ sizeof(ArmControlAccess), CHP$_ACCESS, &ArmControlAccess, 0 },
{ 0, 0, 0, 0 }
};
BOOL VmsUserProfile;
int status, stts,
DirFileNameLength,
ParentFileNameLength = 0;
char *cptr,
*ProfilePtr,
*WhoseProfilePtr;
char DirFileName [ODS_MAX_FILE_NAME_LENGTH+1],
ParentFileName [ODS_MAX_FILE_NAME_LENGTH+1];
$DESCRIPTOR (FileNameDsc, "");
$DESCRIPTOR (ParentNameDsc, "");
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"AuthAccessCheck() !&Z !&Z !UL !UL !&X !&B !&B",
rqptr->RemoteUser, FileName, AccessRequired,
rqptr->rqAuth.VmsUserProfileLength,
rqptr->rqAuth.VmsUserProfilePtr,
rqptr->rqPathSet.NoProfile,
rqptr->rqPathSet.AccessProfile ||
rqptr->rqPathSet.AccessRead ||
rqptr->rqPathSet.AccessServer ||
rqptr->rqPathSet.AccessWrite);
if (!HttpdUserProfileLength) AuthVmsCreateHttpdProfile ();
/* wildcard specifications can be passed to this function */
if (FileNameLength > 0)
cptr = FileName + FileNameLength;
else
for (cptr = FileName; *cptr; cptr++);
if (cptr > FileName) cptr--;
while (cptr > FileName && *cptr != ']') cptr--;
if (*cptr == ']') cptr++;
FileNameLength = cptr - FileName;
while (*cptr && *cptr != '*' && *cptr != '%') cptr++;
if (!*cptr) FileNameLength = cptr - FileName;
if (!FileNameLength || !FileName[0])
{
ErrorNoticed (rqptr, SS$_BUGCHECK, NULL, FI_LI);
return (SS$_BUGCHECK);
}
if (FileNameLength && FileName[FileNameLength-1] == ']')
{
/* a directory has been specified, get the directory file name */
OdsNameOfDirectoryFile (FileName, FileNameLength,
DirFileName, &DirFileNameLength);
FileNameDsc.dsc$a_pointer = DirFileName;
FileNameDsc.dsc$w_length = DirFileNameLength;
}
else
{
FileNameDsc.dsc$a_pointer = FileName;
FileNameDsc.dsc$w_length = FileNameLength;
}
/****************/
/* check access */
/****************/
switch (AccessRequired)
{
case AUTH_ACCESS_READ :
ArmAccess = ARM$M_READ;
break;
case AUTH_ACCESS_WRITE :
ArmAccess = ARM$M_WRITE;
break;
default :
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
if (rqptr->rqAuth.VmsUserProfileLength)
{
VmsUserProfile = AuthVmsUserProfileNoRule;
if (rqptr->rqPathSet.NoProfile) VmsUserProfile = false;
if (rqptr->rqAuth.VmsUserProfile) VmsUserProfile = true;
}
else
VmsUserProfile = false;
if (AccessRequired == AUTH_ACCESS_WRITE)
{
/*
Check if the HTTPd account has CONTROL access to the parent
directory of the file or directory specification supplied
in 'FileName'. If the server has CONTROL access then there is no
general access to the directory, only an authenticated VMS user
with a security profile can write into it.
*/
OdsNameOfDirectoryFile (FileNameDsc.dsc$a_pointer,
FileNameDsc.dsc$w_length,
ParentFileName, &ParentFileNameLength);
ParentNameDsc.dsc$a_pointer = ParentFileName;
ParentNameDsc.dsc$w_length = ParentFileNameLength;
/* turn on SYSPRV to allow this to be done */
sys$setprv (1, &SysPrvMask, 0, 0);
status = sys$check_access (0, &ParentNameDsc, 0, &ControlAccessItem,
0, &ClassNameDsc, 0, &HttpdUserProfileDsc);
sys$setprv (0, &SysPrvMask, 0, 0);
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"ACCESS !AZ control !AZ !&S !&?YES\rNO\r",
HttpdProcess.UserName, ParentNameDsc.dsc$a_pointer,
status, VMSok(status));
if (VMSok (status))
{
/* control ACE means must be using VMS profile */
if (!VmsUserProfile) return (SS$_NOPRIV);
}
else
if (status != SS$_NOPRIV)
{
/* any other error status */
return (status);
}
/* drop through to check user access */
}
/***************/
/* user access */
/***************/
stts = 0;
if (VmsUserProfile)
{
/* against a SYSUAF-authenticated account */
UserProfileDsc.dsc$a_pointer = rqptr->rqAuth.VmsUserProfilePtr;
UserProfileDsc.dsc$w_length = rqptr->rqAuth.VmsUserProfileLength;
WhoseProfilePtr = rqptr->RemoteUser;
ProfilePtr = "(using profile)";
}
else
{
/* against the HTTPd server account */
UserProfileDsc.dsc$a_pointer = HttpdUserProfilePtr;
UserProfileDsc.dsc$w_length = HttpdUserProfileLength;
WhoseProfilePtr = HttpdProcess.UserName;
if (rqptr->rqAuth.VmsUserProfileLength)
ProfilePtr = "(NOT using profile)";
else
ProfilePtr = "(no profile)";
}
/* turn on SYSPRV to allow this to be done */
sys$setprv (1, &SysPrvMask, 0, 0);
status = sys$check_access (0, &FileNameDsc, 0, &ArmAccessItem,
0, &ClassNameDsc, 0, &UserProfileDsc);
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"sys$check_access() !AZ !AZ !&S",
WhoseProfilePtr, FileNameDsc.dsc$a_pointer, status);
if (WATCHING (rqptr, WATCH_AUTH))
{
/* only for informational purposes */
if (status == SS$_NOPRIV && VmsUserProfile)
{
/* also check against the HTTPd server account (e.g. via ACL) */
UserProfileDsc.dsc$a_pointer = HttpdUserProfilePtr;
UserProfileDsc.dsc$w_length = HttpdUserProfileLength;
stts = sys$check_access (0, &FileNameDsc, 0, &ArmAccessItem,
0, &ClassNameDsc, 0, &UserProfileDsc);
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"sys$check_access() !AZ !AZ !&S",
HttpdProcess.UserName, FileNameDsc.dsc$a_pointer, stts);
}
}
/* turn SYSPRV back off again */
sys$setprv (0, &SysPrvMask, 0, 0);
if (status == RMS$_FNF || status == RMS$_DNF)
{
/* attempt to establish access to parent directory */
if (!ParentFileNameLength)
{
/* if not already initialised when checking for control above */
OdsNameOfDirectoryFile (FileNameDsc.dsc$a_pointer,
FileNameDsc.dsc$w_length,
ParentFileName, &ParentFileNameLength);
ParentNameDsc.dsc$a_pointer = ParentFileName;
ParentNameDsc.dsc$w_length = ParentFileNameLength;
}
if (VmsUserProfile)
{
/* against a SYSUAF-authenticated account */
UserProfileDsc.dsc$a_pointer = rqptr->rqAuth.VmsUserProfilePtr;
UserProfileDsc.dsc$w_length = rqptr->rqAuth.VmsUserProfileLength;
WhoseProfilePtr = rqptr->RemoteUser;
ProfilePtr = "(using profile)";
}
/* turn on SYSPRV to allow this to be done */
sys$setprv (1, &SysPrvMask, 0, 0);
status = sys$check_access (0, &ParentNameDsc, 0, &ArmAccessItem,
0, &ClassNameDsc, 0, &UserProfileDsc);
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"sys$check_access() !AZ !AZ !&S",
WhoseProfilePtr, ParentNameDsc.dsc$a_pointer, status);
if (WATCHING (rqptr, WATCH_AUTH))
{
/* only for informational purposes */
if (status == SS$_NOPRIV && VmsUserProfile)
{
/* also against the HTTPd server account (e.g. via ACL) */
UserProfileDsc.dsc$a_pointer = HttpdUserProfilePtr;
UserProfileDsc.dsc$w_length = HttpdUserProfileLength;
stts = sys$check_access (0, &ParentNameDsc, 0, &ArmAccessItem,
0, &ClassNameDsc, 0, &UserProfileDsc);
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"sys$check_access() !AZ !AZ !&S",
HttpdProcess.UserName,
ParentNameDsc.dsc$a_pointer, stts);
}
}
/* turn SYSPRV back off again */
sys$setprv (0, &SysPrvMask, 0, 0);
}
if (WATCHING (rqptr, WATCH_AUTH))
{
WatchThis (WATCHITM(rqptr), WATCH_AUTH, "ACCESS !AZ !AZ !AZ !AZ !&S !AZ",
ProfilePtr, WhoseProfilePtr,
AccessRequired == AUTH_ACCESS_READ ? "read" : "write",
FileNameDsc.dsc$a_pointer,
status, VMSok(status) ? "PERMITTED" : "DENIED");
if (VMSok(stts))
WatchThis (WATCHITM(rqptr), WATCH_AUTH, "NOTE: !AZ !AZ !AZ !&S !AZ",
HttpdProcess.UserName,
AccessRequired == AUTH_ACCESS_READ ? "read" : "write",
FileNameDsc.dsc$a_pointer,
stts, VMSok(stts) ? "PERMITTED" : "DENIED");
}
if (VMSok (status)) return (status);
/*
DFS hosted volumes can return SS$_NOCALLPRIV.
Trap SS$_ACCONFLICT into SS$_NOPRIV so directory listings don't halt.
*/
if (status == SS$_NOPRIV ||
status == SS$_NOCALLPRIV ||
status == SS$_ACCONFLICT) return (SS$_NOPRIV);
/* if an RMS error return normal letting caller continue and report it */
if (((status & STS$M_FAC_NO) >> STS$V_FAC_NO) == RMS$_FACILITY)
return (SS$_NORMAL);
rqptr->rqResponse.ErrorTextPtr = "sys$check_access()";
rqptr->rqResponse.ErrorOtherTextPtr = FileName;
ErrorVmsStatus (rqptr, status, FI_LI);
return (status);
}
/*****************************************************************************/
/*
Enables SYSPRV based on the ACCESS= or WEBDAV= path SETing.
If =READ then enables it when requiring read access. If =WRITE then enables it
for both read and write. If =PROFILE then the SYSUAF user security profile is
used to check for access against the supplied file specification. If allowed
then SYSPRV is enabled. If =SERVER then SYSPRV is never enabled, it becomes a
best effort based on the access permissions of the server account. The
'AccessRequired' parameter AUTH_ACCESS_SYSPRV unconditionally enables SYSPRV
for those instances where discretionary access is not necessary. No access
required (zero value) disables SYSPRV.
=WRITE takes precedence over =PROFILE, =READ and =SERVER
=PROFILE takes precedence over =READ and =SERVER
=READ takes precedence over =SERVER
Returns boolean for whether SYSPRV is currently enabled.
*/
BOOL AuthAccessEnable
(
REQUEST_STRUCT *rqptr,
char *FileName,
int AccessRequired
)
{
static BOOL SysPrvEnabled;
BOOL IsWebDAV;
int status;
char *AccessPtr,
*PathPtr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_MOD_AUTH,
"AuthAccessEnable() !UL!AZ webdav:!&B read:!&B write:!&B profile:!&B !&Z",
AccessRequired,
AccessRequired == AUTH_ACCESS_SYSPRV ? " (SYSPRV)" : "",
rqptr->WebDavRequest || rqptr->WhiffOfWebDav,
(rqptr->rqPathSet.WebDavRead ||
rqptr->rqPathSet.AccessRead),
(rqptr->rqPathSet.WebDavWrite ||
rqptr->rqPathSet.AccessWrite),
(rqptr->rqPathSet.WebDavProfile ||
rqptr->rqPathSet.AccessProfile),
FileName);
if (!AccessRequired)
{
/* disable */
if (!SysPrvEnabled) return (SysPrvEnabled);
sys$setprv (0, &SysPrvMask, 0, 0);
SysPrvEnabled = false;
return (SysPrvEnabled);
}
IsWebDAV = rqptr->WebDavRequest ||
rqptr->WhiffOfWebDav ||
rqptr->rqPathSet.WebDavAll ||
rqptr->rqPathSet.WebDavAuth;
/* enabling/disabling must be done in balance to prevent privs escaping */
if (SysPrvEnabled)
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
switch (AccessRequired)
{
case AUTH_ACCESS_READ : AccessPtr = "read"; break;
case AUTH_ACCESS_WRITE : AccessPtr = "write"; break;
case AUTH_ACCESS_SYSPRV :
/* unconditional enabling of SYSPRV */
sys$setprv (1, &SysPrvMask, 0, 0);
SysPrvEnabled = true;
return (SysPrvEnabled);
default :
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
if ((IsWebDAV &&
rqptr->rqPathSet.WebDavWrite) ||
rqptr->rqPathSet.AccessWrite)
{
/* path set '=write' */
sys$setprv (1, &SysPrvMask, 0, 0);
SysPrvEnabled = true;
PathPtr = "write";
}
else
if ((IsWebDAV &&
rqptr->rqPathSet.WebDavProfile) ||
rqptr->rqPathSet.AccessProfile)
{
/* path set '=profile' */
status = AuthAccessCheck (rqptr, FileName, 0, AccessRequired);
if (VMSok (status))
{
sys$setprv (1, &SysPrvMask, 0, 0);
SysPrvEnabled = true;
}
PathPtr = "profile";
}
else
if ((IsWebDAV &&
rqptr->rqPathSet.WebDavRead) ||
rqptr->rqPathSet.AccessRead)
{
/* path set '=read' */
if (AccessRequired == AUTH_ACCESS_READ)
{
sys$setprv (1, &SysPrvMask, 0, 0);
SysPrvEnabled = true;
}
PathPtr = "read";
}
else
if ((IsWebDAV &&
rqptr->rqPathSet.WebDavServer) ||
rqptr->rqPathSet.AccessServer)
{
/* path set '=server' so relies on permissions for server account */
PathPtr = "server";
}
else
if (rqptr->rqAuth.VmsUserProfileLength)
{
/* no path SETing but authorized path with request SYSUAF profile */
status = AuthAccessCheck (rqptr, FileName, 0, AccessRequired);
if (VMSok (status))
{
sys$setprv (1, &SysPrvMask, 0, 0);
SysPrvEnabled = true;
}
PathPtr = "(none)";
}
else
PathPtr = "(none)";
if (WATCHING (rqptr, WATCH_AUTH))
WatchThis (WATCHITM(rqptr), WATCH_AUTH,
"ACCESS:!AZ WebDAV:!&B PATH:!AZ (SET read:!&B write:!&B profile:!&B) \
SYSPRV:!AZ !AZ",
AccessPtr, IsWebDAV, PathPtr,
(rqptr->rqPathSet.WebDavRead ||
rqptr->rqPathSet.AccessRead),
(rqptr->rqPathSet.WebDavWrite ||
rqptr->rqPathSet.AccessWrite),
(rqptr->rqPathSet.WebDavProfile ||
rqptr->rqPathSet.AccessProfile),
SysPrvEnabled ? "enabled" : "disabled",
FileName);
return (SysPrvEnabled);
}
/*****************************************************************************/