From:	HENRY::IN%"OZ%wiscpsl.bitnet%wiscvm.wisc.edu%csnet-relay.CSNET%relay.cs.net@RCA.COM"  3-OCT-1987 02:58
To:	EVERHART%ARISIA%RCA.COM@csnet-relay.csnet
Subj:	RE: Finger

> As a result of the security bug found in Finger, I proposed a few weeks
> ago a temporary patch to prevent Finger from reading FINGER.PLN with
> privilege.
>
> ...

I'm sending this direct in case it's not worth posting to INFO-VAX.
You can post it if it proves useful (or if it's wrong and you want
to publicly embarrass me).

The SYS$CHECK_ACCESS system service would be ideal for this, I think.
It checks if a given user can access a given object (file). I think
SYS$CHECK_ACCESS takes into account identifiers granted to the user,
as well as UIC. You might experiment with it and make sure it really
works as I expect it does. Here's an example of a FORTRAN function
that calls SYS$CHECK_ACCESS:

        integer function CHECK_PLN(USER,DEV,DIR)
        include '($ACLDEF)'
        include '($ARMDEF)'
        include '($CHPDEF)'
        character*(*) USER              ! username
        character*(*) DEV,DIR           ! default device and directory
        record /ITMLST3/ ITMLST(2)

        ITMLST(1).ITMCOD=CHP$_ACCESS
        ITMLST(1).BUFLEN=4
        ITMLST(1).BUFADR=%loc(ARM$M_READ)
        ITMLST(2).ITMCOD=0
        CHECK_PLN=SYS$CHECK_ACCESS(ACL$C_FILE,DEV//DIR//'FINGER.PLN',
        1       USER,ITMLST)
        RETURN

        END