[Info-vax] Why is INSTALL.EXE privileged?

[VAXman- at SendSpamHere.ORG]

In article <4d571209$1 at ns.langstoeger.at>, peter at langstoeger.at (Peter 'EPLAN' LANGSTOEGER) writes:
>In article <00AAAE54.CC4D0B43 at SendSpamHere.ORG>, VAXman-  @SendSpamHere.ORG writes:
>>In article <4d56c01b$1 at news.langstoeger.at>, peter at langstoeger.at (Peter 'EPLAN' LANGSTOeGER) writes:
>>>The nice (youtube) video on openvmshobbyist.org reminded me of a question I
>>>had (in the 80ies and) long forgotten:
>>
>>Yawn!  I'm still not convinced that these guys found these vulnerabilities
>>without someone pointing them out to them.  They're clearly uninitiated on
>>VMS and they way they go about some of this is ridiculous.
>
>But they finally succeeded. So imagine an VMS initiated bad guy...
>
>I still don't fully understand, how they succeeded with the finger client.
>Maybe I sometimes temporary switch to UCX and start to try it myself.
>
>Btw: No, TCPWARE:FINGER.EXE isn't required to be installed with privs
>(but you need the finger server enabled/started to have it working)

I've never enabled FINGER.  I thought it was a stupid feature when I worked
in the DoD labs and I still do.  However, a poorly written application that
is installed on VMS is not a VMS weakness and these jokers who could barely
spell VMS if you spotted them the V and the M never made that point clear.



>>Anyway, the so-called CLI bug, which was in SMG, has been patched.  
>
>Anyway, I still don't understand why images destined for system managers
>are installed with system privileges, so that normal users can use them
>as well (only sometimes intentionally - for a subset of the functions)...

I don't know that either.  Save that it does permit Joe Average to have
a look-see at what is or is not installed.

-- 
VAXman- A Bored Certified VMS Kernel Mode Hacker    VAXman(at)TMESIS(dot)ORG

All your spirit rack abuses, come to haunt you back by day.
All your Byzantine excuses, given time, given you away.