RE: API to swap GID

["David Morris" <David.Morris@xxxxxxxxxxxxx>]

Kenneth,

I have used the change effective user and change effective group quite

a bit to simulate adopted authority. To do that I wrote a pretty
complete
set of wrappers for them. One big limitation is that you cannot swap
supplemental groups. In that case you have to change profiles, and
swap.
I have found that changing effective user/group is much more
efficient.

There is a lot to consider when you implement this. I wanted to
duplicate
the functionality of adopted authority, which meant that I had to
register
exits so that authority would not linger beyond the call stack
boundary.
Also, you will have to make some choices on who can change to who. I
only
supported swaps to profiles the underlying user had *USE to. One
exception
I ran into was in server jobs. I also wanted to be able to stack
authorities
like adoption so I had to get into profile changes and profile swaps.

For now I will post snippets if you want and will think about making
the
whole thing open source. Here is something to get you started:


**************************************************************************

 * Prototype definitions
  *

**************************************************************************

 * Set effective Group ID

DqsySetEGID       PR            10I 0 EXTPROC('qsysetegid')

D PR_GID                        10I 0 value

 * Get effective group ID for a given group name (group profile)

DGetGrNam         PR              *   EXTPROC('getgrnam')

D PR_pName                        *   value options(*string)

 * Set effective User ID

DqsySetEUID       PR            10I 0 EXTPROC('qsyseteuid')

D PR_UID                        10I 0 value

 * Get effective User ID for a given name (profile)

DGetPwNam         PR              *   EXTPROC('getpwnam')

D PR_pName                        *   value options(*string)


PSetEUsr          B                   EXPORT

DSetEUsr          PI                  LIKE(RtnCod)

D CurUsr                        10A   CONST

D RtnCod          S             10I 0

 ***************************************************

 * Password structure as defined in QSYSINC/H(PWD) *

 ***************************************************

Dpasswd           DS                  BASED(pPasswd)

D ppw_name                        *

D pw_uid                        10I 0

D pw_gid                        10I 0

D ppw_dir                         *

D ppw_shell                       *

C                   EVAL      pPasswd = GetPwNam(CurUsr)

C                   EVAL      RtnCod = qsySetEUID(pw_uid)

C                   IF        RtnCod <> *ZEROS

C                   CALLP     SndUnixErr('Error setting effective
user')
C                   ELSE

C                   CALLP     SndMsg(*OMIT: 'Effective user set to ' +

C                               CurUsr)

C                   ENDIF

C                   RETURN    RtnCod

PSetEUsr          E


>>> keg@nwnatural.com 08/08/02 10:55AM >>>
Thanx Scott ... That's what I was looking for ... Now all I have to do
is
figure out if there is a practical way to utilize this API. I want to
design
a way to run under a different group profile within a job, without
having to
change a user profile's group profile attribute and then SWAP back to
the
same user.

I don't want to "reinvent the wheel" if someone has already done this.
If
anyone has put something together using these API's I'd love to take a
look
at what you've done.

Kenneth