![[Compaq]](../../images/compaq.gif)
![[Go to the documentation home page]](../../images/buttons/bn_site_home.gif)
![[How to order documentation]](../../images/buttons/bn_order_docs.gif)
![[Help on this site]](../../images/buttons/bn_site_help.gif)
![[How to contact us]](../../images/buttons/bn_comments.gif)
![[OpenVMS documentation]](../../images/ovmsdoc_sec_head.gif)
| Document revision date: 19 July 1999 | |
|
|
|
|
|
|
| Previous | Contents | Index |
The context for a security management operation can be established through either $GET_SECURITY or $SET_SECURITY. Whenever the context is set by one service, the other service can use it provided the necessary locks are being held. A caller to $GET_SECURITY needs to set the write lock flag (OSS$M_WLOCK) to inspect a profile value, maintain the lock on the object's profile, and then modify some value through a call to $SET_SECURITY.
There are many situations in which the contxt argument is essential. By establishing a context for an ACL operation, for example, a caller can retain an ACL position across calls to $GET_SECURITY so that a set of ACEs can be read and modified sequentially. A security context is released by a call to $SET_SECURITY or $GET_SECURITY that sets the OSS$M_RELCTX flag. Once the context is deleted, the user-supplied context longword is reset to 0.
Control access to the object is required.
None
$GET_SECURITY
SS$_NORMAL The service completed successfully. SS$_ACCVIO The parameter cannot be read and the buffer cannot be written. SS$_BADPARAM You specified an invalid object, attribute code, or item size. SS$_INSFARG The clsnam and objnam arguments are not specified, the clsnam and objhan arguments are not specified, or the contxt argument is not specified. SS$_INVBUFLEN The buffer size for one of the item codes was invalid. SS$_INVCLSITM The item code that you specified is not supported for the class. SS$_MMATORB The attempted update cannot be performed. The object profile was changed by another process. SS$_NOCLASS The named object class does not exist. SS$_OBJLOCKED The selected object is currently write locked.
Searches for and returns information about records in the intrusion database matching the caller's specifications.
SYS$SHOW_INTRUSION user_criteria ,intruder ,intruder_len ,breakin_block ,[flags] ,[context]
int sys$show_intrusion (void *user_criteria, void *intruder, unsigned short int *intruder_len, void *breakin_block, unsigned int flags, unsigned int *context);
user_criteria
OpenVMS usage: char_string type: character-coded text string access: read only mechanism: by descriptor--fixed-length string descriptor
Description of intruder or suspect. The user_criteria argument is the address of a character-string descriptor pointing to a buffer containing the user criteria to match an intrusion record's user specification in the intrusion database.The user_criteria argument is a character string of between 1 and 1058 bytes containing characters to match the user specification on records in the intrusion database.
A user specification is any combination of the suspect's or intruder's source node name, source user name, source DECnet for OpenVMS address, local failed user name, local terminal, or the string UNKNOWN. The user specification for an intrusion record is based on the input to the $SCAN_INTRUSION service and the settings of the LGI system parameter. For more information, see the OpenVMS Guide to System Security.
Wildcards are allowed for the user_criteria argument. For more information about using wildcards to scan the intrusion database, see the Description section.
intruder
OpenVMS usage: char_string type: character-coded text string access: write only mechanism: by descriptor--fixed-length string descriptor
User specification of the matched intruder or suspect record in the intrusion database. The intruder argument is the address of a character-string descriptor pointing to a buffer to receive the user specification of the matched record in the intrusion database.The intruder argument is a 1058-byte string that will receive the user specification of a record in the intrusion database that matches the specifications in the user_criteria and flags arguments.
intruder_len
OpenVMS usage: string length type: longword (unsigned) access: write only mechanism: by reference
Length of returned string in the intrusion buffer. The intruder_len argument is the address of a longword to receive the length of the returned intrusion buffer.The possible range of the intruder_len argument is 0 to 1058 bytes. If the longword specified by the argument contains a 0 after the call to the service, either the service did not find a record that matched the user criteria in the intrusion database, or there are no more matching items in the intrusion database.
breakin_block
OpenVMS usage: record type: block of 2 words (unsigned), 1 longword (unsigned), and 1 quadword (unsigned) access: write only mechanism: by reference
Block to receive various information in the intrusion database about a record matching the user criteria. The breakin_block argument is the address of a structure with the following format.
The following table defines the break-in block fields.
| Field | Description |
|---|---|
| Type | Unsigned word containing the type of the matched record. The possible values for the type field are TERM_USER, TERMINAL, USERNAME, and NETWORK. These constants are defined in $CIADEF in STARLET. |
| Flags | Boolean set to TRUE (1) if the matched record is an intruder. If the value is set to FALSE (0), the matched record is only a suspect. |
| Count | Unsigned longword containing the number of login failures or break-in attempts made by the specified intruder or suspect. |
| Time | Quadword time format indicating the time when the record will expire. |
| OpenVMS usage: | mask_longword |
| type: | longword (unsigned) |
| access: | read only |
| mechanism: | by value |
Each option has a symbolic name. The $CIADEF macro defines the following valid names.
| Symbolic Name | Description |
|---|---|
| CIA$M_ALL | All records will be shown. If the flags argument is omitted, this value is assumed. |
| CIA$M_INTRUDERS | Only intruder records matching the criteria specified by the user_criteria argument will be returned. The value of the flag field in the break-in block will always be 1. |
| CIA$M_SUSPECTS | Only suspect records matching the criteria specified by the user_criteria argument will be returned. The value of the flag field in the break-in block will always be 0. |
Each of these options is mutually exclusive.
| OpenVMS usage: | context |
| type: | longword (unsigned) |
| access: | write only |
| mechanism: | by reference |
The initial value contained in the unsigned longword pointed to by the context argument must be 0. The contents of the unsigned longword must not be changed after the service has set its value. If the contents of the context argument are changed between calls to the service, SS$_BADCONTEXT will be returned.
Contexts become invalid after one-half hour of non-use. This means that if you call the $SHOW_INTRUSION service with a wildcard in the user_criteria argument and do not call the service to get the next matching record within one-half hour, the context becomes invalid. If the context has become invalid, you must restart your search of the intrusion database from the beginning by resetting the context to 0.
The Show Intrusion service returns information about records in the intrusion database that match the criteria you specify.You can retrieve information about multiple records in the intrusion database by specifying wildcards for the user_criteria argument. For example, specifying an asterisk (*) for the user_criteria argument and CIA$M_ALL_RECORDS for the flags argument will return information about all records in the database. Specifying TTA4* for the user_criteria argument and CIA$M_SUSPECTS_ONLY for the flags argument will return information about all suspects who have had failures on terminal TTA4.
If you specify a wildcard string for the user_criteria argument, you must also include a context argument. Because the service can only return information about one intrusion record at a time, you must call the service repeatedly to retrieve information about more than one record. The service will return SS$_NOMOREITEMS when information about all of the matching records has been returned. No intrusion information is returned from the call that returns SS$_NOMOREITEMS.
SECURITY privilege is required.
None
$DELETE_INTRUSION, $SCAN_INTRUSION
SS$_NORMAL The service completed successfully. SS$_ACCVIO The user_criteria or context argument cannot be read, or the intruder, intruder_len, breakin_block, or context argument cannot be written. SS$_BADBUFLEN The length of one of the specified arguments is out of range. SS$_BADCONTEXT The context argument did not contain a 0 on the first call to the service. The context argument's value changed between consecutive calls to the service. SS$_BADPARAM An invalid value was specified in the flags argument, or mutually exclusive options were specified in the flags argument. SS$_NOMOREITEMS All items matching the specified criteria have been returned. SS$_NOSECURITY The caller does not have SECURITY privilege. This service can also return any of the following messages passed from the security server: SECSRV$_NOSUCHINTRUDER No records matching the specified criteria were found in the intrusion database. SECSRV$_SERVERNOTACTIVE The security server is not currently active. Try the request again later.
On VAX systems, returns information about one or more existing proxies.
SYS$SHOW_PROXY rem_node ,rem_user ,buffer_sizes ,proxy_node ,proxy_user ,default_user ,local_users ,[context]
rem_node
OpenVMS usage: char_string type: character-coded text string access: read only mechanism: by descriptor--fixed-length string descriptor
Remote node name of the proxy about which information is being requested. The rem_node argument is the address of a character-string descriptor pointing to the remote node name string.A remote node name consists of 1 to 1024 characters. No specific characters, format, or case are required for a remote node name string.
Asterisk (*) and percent sign (%) wildcards are allowed for the remote node specification. If you specify wildcards for the rem_node argument, the server searches the entire proxy database for matches to the remote node and remote user you specified. If a match is found, information about the matched proxy is returned. See the Description section for information about retrieving information about multiple proxies.
rem_user
OpenVMS usage: char_string type: character-coded text string access: read only mechanism: by descriptor--fixed-length string descriptor
Remote user name of the proxy about which information is being requested. The rem_user argument is the address of a character-string descriptor pointing to the user name string.A remote user name consists of 1 to 32 alphanumeric characters, including dollar signs ($), underscores (_), and brackets ([ ]). Any lowercase characters specified are automatically converted to uppercase.
The rem_user argument can be specified in user identification code (UIC) format ([group, member]). Brackets are allowed only if the remote user name string specifies a UIC. Group and member are character-string representations of octal numbers with no leading zeros.
Asterisk (*) and percent sign (%) wildcards are allowed for the remote user specification. If you specify wildcards for the rem_user argument, the server searches the entire proxy database for matches to the remote node and remote user you specified. If a match is found, information about the matched proxy is returned. See the Description section for information about retrieving information about multiple proxies.
buffer_sizes
OpenVMS usage: return length block type: array of 4 words (unsigned) access: write only mechanism: by reference
Array of return lengths for various input buffers. The buffer_sizes argument is the address of an array of four words with the following format.
The following table defines the buffer sizes fields.
| Descriptor Field | Definition |
|---|---|
| Proxy user length | Return length (in bytes) of the rem_user argument. The proxy user length field contains a value in the range of 0 to 32. A value of 0 in this field indicates that the service has failed or that there was no match for the user specified by the rem_user argument. |
| Proxy node length | Return length (in bytes) of the rem_node argument. A value of 0 in this field indicates that the service has failed or that there was no match for the node specified by the rem_node argument. The proxy node length field contains values in the range of 0 to 1024. |
| Local users count | Number of local users associated with the matched proxy. The local users count field contains a value in the range of 0 to 16. A value of 0 indicates that the matched proxy had no local users. |
| Default user length | Return length (in bytes) of the default_user argument. The default user length field contains a value in the range of 0 to 32. A value 0 in this field indicates that the matched proxy did not have a default user. |
| OpenVMS usage: | char_string |
| type: | character-coded text string |
| access: | write only |
| mechanism: | by descriptor--fixed-length string descriptor |
The descriptor's buffer must be 1024 bytes long to receive a node name. The length of the returned node name is specified by the proxy node length field returned in the buffer specified by the buffer_sizes argument.
| OpenVMS usage: | char_string |
| type: | character-coded text string |
| access: | write only |
| mechanism: | by descriptor--fixed-length string descriptor |
The descriptor's buffer must be 32 bytes long to receive a user name. The length of the returned user name is specified by the proxy user length field returned in the buffer specified by the buffer_sizes argument.
| OpenVMS usage: | char_string |
| type: | character-coded text string |
| access: | write only |
| mechanism: | by descriptor--fixed-length string descriptor |
The descriptor's buffer must be 32 bytes long to receive a user name. The length of the returned user name is specified in the default user length field in the buffer specified by the buffer_sizes argument.
| OpenVMS usage: | buffer |
| type: | array of 0 to 16 user name buffers |
| access: | write only |
| mechanism: | by reference |
Each element in the array is a 36-byte block with the following format.
The following table defines the local users fields.
| Descriptor Field | Definition |
|---|---|
| User name length | Length (in bytes) of the associated username string. The length can be in the range of 1 to 32 bytes. |
| Username | A fixed 32-byte blank padded character string containing a local user name associated with the matched proxy. |
The buffer specified by the local_users argument must be able to contain up to 16 user name buffers. Therefore, the buffer length must be 576 bytes.
The number of elements returned in the buffer is specified in the local users count field returned in the buffer specified by the buffer_sizes argument.
| OpenVMS usage: | context |
| type: | longword (unsigned) |
| access: | write only |
| mechanism: | by reference |
The initial value contained in the longword pointed to by the context argument must be 0. The contents of the unsigned longword must not be changed after the service has set its value. If the contents of the buffer pointed to by the context argument are changed between calls to the $SHOW_PROXY service, the service will return SS$_BADCONTEXT.
Contexts become invalid after one-half hour of non-use. This means that if you call the $SHOW_PROXY service with a wildcard rem_node and rem_user, and do not call the service to get the next matching record within one-half hour, the context becomes invalid. If the context has become invalid, the search starts over at the beginning of the database, not where you left off with your last call to the service.
The Show Proxy service returns to the caller all information about a specified proxy in the proxy database.Wildcards can be specified for the rem_node and rem_user arguments. Because $SHOW_PROXY can return information about only one matching proxy at a time, you must call this service repeatedly with the context argument to retrieve information about all matching proxies. $SHOW_PROXY returns SS$_NOMOREITEMS when information about all of the matching proxies has been returned. No proxy information is returned from the call that returns the SS$_NOMOREITEMS status.
$SHOW_PROXY requires access to the proxy database. To achieve access, the caller must have SYSPRV or BYPASS privilege, or a UIC group less than or equal to the MAXSYSGRP system parameter.
None
$ADD_PROXY, $DELETE_PROXY, $VERIFY_PROXY
SS$_NORMAL The service completed successfully. SS$_ACCVIO The rem_node or rem_user argument cannot be read by the service; or the buffer_sizes, proxy_node, proxy_user, default_user, or local_users argument cannot be written by the service; or the context argument cannot be read or written by the service. SS$_BADBUFLEN The length of the rem_node, rem_user, proxy_node, proxy_user, default_user, or local_users argument was out of range. SS$_BADCONTEXT The context argument did not contain a 0 on the first call to the service, or the context argument's values changed between consecutive calls to the service. SS$_NOMOREITEMS Information about all proxies matching the specification of the rem_node and rem_user arguments has been returned by the service. SS$_NOREADALL The caller does not have access to the proxy database. This service can also return any of the following messages passed from the security server, or any OpenVMS RMS error message encountered during operations on the proxy database. SECSRV$_NOSUCHUSER The specified local user does not exist in the proxy's local user list, or is not the proxy's default user. SECSRV$_NOSUCHPROXY The proxy specified by the rem_node and rem_user arguments does not exist in the proxy database. SECSRV$_PROXYNOTACTIVE Proxy processing is currently stopped. Try the request again later. SECSRV$_SERVERNOTACTIVE The Security Server is not currently active. Try the request again later.
| Previous | Next | Contents | Index |
|
|
| privacy and legal statement | ||
| 4527PRO_085.HTML | ||