$!-----------------------------------------------------------------'f$verify(0)
$! SECURE.COM
$!
$! Copyright (C) 1996-2021 Mark G.Daniel.
$!
$! Licensed under the Apache License, Version 2.0 (the "License");
$! you may not use this file except in compliance with the License.
$! You may obtain a copy of the License at
$!
$!    http://www.apache.org/licenses/LICENSE-2.0
$!
$! Unless required by applicable law or agreed to in writing, software
$! distributed under the License is distributed on an "AS IS" BASIS,
$! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
$! See the License for the specific language governing permissions and
$! limitations under the License.
$!
$! Can be used standalone to 'refresh' package directory settings.
$! Is called from INSTALL.COM to set initial directory settings.
$!
$! P1..P3   "INSTALL"            called from INSTALL.COM
$! P1..P3   "SERVER=<string>"    specifying the server account username
$! P1..P3   "NOBODY=<string>"    specifying the scripting account username
$!
$! 07-NOV-2009  MGD  v2.3, WASD v10 logical naming schema
$! 30-JUN-2005  MGD  bugfix; in ACE placement for access to [LOCAL]
$! 28-JAN-2004  MGD  v2.2, server write access to [LOCAL]
$! 23-DEC-2003  MGD  v2.1, IA64 support
$! 01-NOV-2002  MGD  v2.0, major revision
$! 25-SEP-2002  MGD  v1.0, initial release (as INSTALL_SECURE.COM)
$!-----------------------------------------------------------------------------
$!
$ if f$trnlnm("INSTALL$DBUG") .nes. "" then set verify
$!
$ ss$_abort = 44
$ ss$_bugcheck = 676
$ say = "write sys$output"
$ vms_version = f$integer(f$extract(1,1,f$getsyi("version"))) * 10 +-
                f$integer(f$extract(3,1,f$getsyi("version")))
$ if vms_version .ge. 72 then set process /parse=traditional
$ set control=Y
$ on controly then exit ss$_abort
$!
$ if f$environment("depth") .eq. 1 then @wasd_root:[install]copyright.com
$!
$ install = 0
$ if p1 .eqs. "INSTALL" then install = 1
$ pre801 = 0
$!
$ @WASD_ROOT:[INSTALL]SECHAN.COM
$!
$!(run SECHAN to ensure the three required rights identifiers exit)
$ sechan /identifiers
$!
$ if .not. install
$ then
$!
$    @WASD_ROOT:[INSTALL]ACCOUNTS.COM "''p1'" "''p2'" "''p3'"
$!
$    sechan /getuai "''http$server_username'" 
$    if .not. $status
$    then
$       type sys$input
                      *********************************
                      *  PROBLEM WITH SERVER ACCOUNT  *
                      *********************************

$       exit status
$    endif
$!
$    if http$nobody_username .nes. http$server_username
$    then
$       sechan /getuai "''http$nobody_username'" 
$       if .not. $status then http$nobody_username = http$server_username
$    endif
$!
$    call install_secure_post81
$!
$    sechan /getuai "''http$server_username'" 
$    if .not. $status
$    then
$       type sys$input
                      *********************************
                      *  PROBLEM WITH SERVER ACCOUNT  *
                      *********************************

$       exit ss$_abort
$    endif
$!
$    sechan /getuai "''http$nobody_username'" 
$    if .not. $status then http$nobody_username = http$server_username
$!
$ endif
$!
$  type sys$input
                        *****************************
                        *  (RE)SECURE THE PACKAGE?  *
                        *****************************

Begin to make changes to files and security settings in the package.

$  response = ""
$  read sys$command response /prompt="Secure the package? [NO]: "
$  say ""
$!
$  if response
$  then
$!
$!   (ensure all the post-8.1 directories are present)
$    if f$search("wasd_root:[000000]axp-bin.dir") .eqs. "" -
        then create /directory /log wasd_root:[axp-bin]
$    if f$search("wasd_root:[000000]cgi-bin.dir") .eqs. "" -
        then create /directory /log wasd_root:[cgi-bin]
$    if f$search("wasd_root:[000000]ia64-bin.dir") .eqs. "" -
        then create /directory /log wasd_root:[ia64-bin]
$    if f$search("wasd_root:[000000]log_server.dir") .eqs. "" -
        then create /directory /log wasd_root:[log_server]
$    if f$search("wasd_root:[000000]startup.dir") .eqs. "" -
        then create /directory /log wasd_root:[startup]
$!
$    type sys$input
                   **************************************
                   *  SETTING PACKAGE FILE PROTECTIONS  *
                   **************************************

Please be patient, this may take some (considerable) time ...

$    sechan /package /progress
$    say ""
$!
$ endif
$!
$!
$ type sys$input
                        *****************************
                        *  SERVER WRITE TO [LOCAL]  *
                        *****************************

To allow updating of configuration files located in WASD_ROOT:[LOCAL] via the
Server Administration interface, the [LOCAL] directory must have a specific
access control entry added.  Note that write access cannot occur unless
HTTPD$AUTH path access is also configured.

$ response = ""
$ read sys$command response /prompt="Allow server write access to [LOCAL]? [NO]: "
$ say ""
$ if response
$ then
$    sechan /delete WASD_ROOT:[000000]LOCAL.DIR
$    sechan /control WASD_ROOT:[000000]LOCAL.DIR
$    sechan /none WASD_ROOT:[000000]LOCAL.DIR
$ endif
$!
$ type sys$input
                       *******************************
                       *  [LOCAL]INSTALL_SECURE.COM  *
                       *******************************

This convenience procedure may be created and maintained by local site
administration with DCL commands to ensure that the local package tree is
configured for correct operation following a reapplication of site security.

$ if f$search("wasd_root:[local]install_secure.com") .eqs. ""
$ then
$    type sys$input
This procedure was NOT FOUND on this site!

$ else
$    @wasd_root:[local]install_secure.com
$ endif
$!
$ type sys$input
                   **************************************
                   *  INSTALL SECURE   C O M P L E T E  *
                   **************************************

$ exit
$!
$!-----------------------------------------------------------------------------
$!
$ INSTALL_SECURE_POST81: SUBROUTINE
$!
$! standalone post-v8.1 security update, provides an overview
$!
$ on controly then exit ss$_abort
$ type sys$input
              *************************************************
              *   P L E A S E   R E A D   C A R E F U L L Y   *
              *************************************************

This procedure sets WASD site directory and file protection requirements.

It can be used to reset an existing installation to a known, initial state.
It can be executed any number of times, only making adjustments as necessary. 
It always refreshes the directory and file security settings.

After executing this procedure it may be necessary to reset some parts in line
with local requirements.  To perform this automatically you can create a DCL
procedure WASD_ROOT:[LOCAL]INSTALL_SECURE.COM which is searched for and
executed automatically to perform these tasks.

$ response =  ""
$ read sys$command response /prompt="Continue? [NO]: "
$ say ""
$ if .not. response then exit ss$_abort
$!
$ exit
$ endsubroutine
$!
$!-----------------------------------------------------------------------------