Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utgpu!water!watmath!clyde!rutgers!rochester!bbn!uwmcsd1!marque!gryphon!crash!jeh
From: jeh@crash.UUCP
Newsgroups: comp.os.vms
Subject: Re: Using callable EDT (caveat for installed prog. w/ privs)
Message-ID: <2078@crash.cts.com>
Date: Thu, 3-Dec-87 19:29:50 EST
Article-I.D.: crash.2078
Posted: Thu Dec  3 19:29:50 1987
Date-Received: Sun, 6-Dec-87 21:19:46 EST
References: <8712020650.AA10361@ucbvax.Berkeley.EDU>
Reply-To: jeh@crash.CTS.COM (Jamie Hanrahan)
Organization: CMKRNL Press, San Diego, CA
Lines: 21
Summary: Turn privs off and on as needed

In article <8712020650.AA10361@ucbvax.Berkeley.EDU> PHULVER%OCVAXA@VB.CC.CMU.EDU (Barron Hulver x8290) writes:
>Just a tidbit of information for anyone using the callable
>EDT interface.  If the program will ever be an installed image
>with privileges (SYSPRV, BYPASS), this is not the way to go.
>A user will be able to drop into the editor, then INCLUDE
>any text file on the system.
>In this case you do want to use the LIB$SPAWN feature.

This point is well taken, but the moral is to code programs that will be
installed with privs correctly rather than to avoid use of callable EDT.
Any program to be installed with privs should begin by turning the enhanced
privs OFF, then turn them on just before they're needed, and turn them off
again immediately afterwards.  For instance, if you're writing a mailer 
that needs to access files via BYPASS privilege, you turn on BYPASS only
when accessing those files (SYSUAF, users' mail files, etc.), and turn it
off again as soon as the file is open.  You don't leave it on, for instance,
during the `prepared file to include?' sequence...  Also, be careful about
logical name translations -- a program accessing files via enhanced privs
should only use `trusted' logical names (system name table, exec mode,
etc.).  With these caveats, one can write enhanced-priv programs and still
safely use things like callable EDT.