Manualshelf

OSF DCE Application Development Guide--Introduction and Style Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series
81828384858687888990
Security
server identities, then it needs to check the returned value against the acceptable ones.
The list of acceptable values must be obtained and maintained by the client by some
means of its own choosing: for example, a principal name could be obtained from an
environment variable. The only security issue here is that the client must be sure that the
list of acceptable values is a legitimate one. For example, it must not be stored in such a
way that a false server can modify it.
The task of maintaining a list of acceptable principal names can be simplified somewhat
by having all acceptable principals belong to a single group that is maintained by some
trusted authority, such as a system administrator. The client then needs to maintain only
the name of the group, rather than the whole list of principal names. To be sure that the
server is authentic, the client need only check the principal name returned by
rpc_mgmt_inq_server_princ_name( ) against the group by calling sec_rgy_pgo_is_-
member( ).
The following code fragment demonstrates this scheme.
3.3.7.1 The is_valid_principal Routine
The is_valid_principal() routine checks the group membership of the specified
principal.
/******
*
*
* is_valid_principal -- Find out whether the specified principal is a
* member of the group he’s supposed to be.
*
*
******/
boolean32 is_valid_principal(
unsigned_char_t *princ_name, /* Full name of principal to test. */
unsigned_char_t *group, /* Group we want principal to be in. */
unsigned32 *status)
{
unsigned_char_t *local_name; /* For principal’s local name. */
char *cell_name; /* Local cell name. */
sec_rgy_handle_t rhandle; /* Local registry binding. */
boolean32 is_valid; /* To hold result of registry call. */
fprintf(stdout, "sample_client: Initial principal name == %s0, princ_name);
fprintf(stdout, "sample_client: Initial group name == %s0, group);
/* Find out the local cell name... */
dce_cf_get_cell_name(&cell_name, status);
124246 Tandem Computers Incorporated 3 15