[Info-vax] prevent user login during and after startup

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Wed Sep 17 14:24:46 EDT 2014 

On 2014-09-17 17:55:35 +0000, bdhobbs18 at acm.org said:

> OP responding to some of the replies.
> 
> Abrsvc mentioned modifying sylogin.com and using "set log/int=0".  I'm 
> kind of leaning toward this, but that's going to involve more code, 
> testing, reboots ... sigh.  Hmm, there doesn't appear to be a lexical 
> for login limit.

f$getsyi("IJOBLIM")

Also see the startup login symbol startup$interactive_logins in the VMS 
docs.  That is how you have the startup not enable access.

Definitely check ssh, as at one point that did not honor SET 
LOGIN/INTERACTIVE=0

>  I guess I'll have to parse the "set log" output.

I know it's a stretch here, but Google is a very good resource — until 
VSI gets their business in gear, pretty much every VMS question ever 
asked has been answered.

> Bob Gezelter and David Froble mentioned the TCPIP command procedures.  
> "Toto, I've a feeling we're not in Kansas anymore."  The UCX command 
> procedures appear to be very different from the later TCPIP command 
> procedures and not as clear.  Heck, I had to edit one of them because 
> it had the wrong count for a list of services.  The start of the telnet 
> service is buried in with the other services, not an independent 
> startup command procedure.

Fossil versions have fossil problems and fossil doc.

TCP/IP Services V5.0 and later uses the TCPIP$ prefix.  Prior to that 
used the UCX prefix.

> VAXman mentioned the system should boot without me having "to perform 
> any manual system schtuff".  That's what I'm trying to get to, but 
> those pesky users want to use the system NOW!

Get rid of OPER privilege.  This is far from the first time somebody 
has tried to implement privileges for privileges.  That's what you're 
doing, after all — privileges for privileges.

Get rid of OPER, and this particular problem goes away.  Possibly some 
other problems, too, depending on what else OPER is being (mis)used for.

Possibly slightly more politic: announce that those folks with 
privileged usernames including OPER are responsible for maintaining and 
monitoring the system integrity, particularly given their exalted 
privileged stature.    They're privileged users, and expectations are 
higher.  If they screw up and log in when logins are disabled, yank 
OPER privilege.  If you're really feeling charitable, put a message to 
this effect in SYLOGIN.COM.


>  My predecessors made some significant (and, I think, peculiar) changes 
> to the system.  For instance, there is no sys$batch queue, though there 
> is a system$batch queue.  The CLI tables file has been butchered, that 
> took me a while to figure out why some of my DCL was not working as 
> expected.  It's a mess.

Usual path out is a reinstallation and a migration to a saner environment.

> VAXman and Stephen Hoffman mentioned an alternate sysuaf.dat.  
> Occasionally I escape work and I have to explain to the poor sap taking 
> my place what to do.  I think a modified sylogin.com and explaining 
> "set log/int=0" would be easier than explaining an alternate sysuaf.dat 
> and extra reboots.

I do think that addressing the actual problem and not continuing to 
dance around it — get rid of OPER privilege — is far more direct?

> Jim Carpenter mentioned that the CHARON-VAX emulator can use the host's 
> clock.  I believe our version (3.1, 2005 Aug 22) does not have that 
> option, but I'll check that again.

Fossil versions for the headaches.

Might want to check and see of CHARON-VAX has a console port 
capability.   SIMH has that, and that'd give you a path into the server 
via the (emulated) OPA0: for a look around.

> Martin Vorländer mentioned "UCX> set configuration enable NOservice 
> telnet".  My UCX documentation doesn't show this command and I'd be 
> afraid that the "NOservice" might delete the telnet service if it did 
> work.
> 
> VAXman mentioned sysman startup.  I'm not familiar with sysman, but I 
> poked around a bit, lots of shows.  I didn't find UCX or telnet, I 
> suspect I may be doing it wrong.

You're probably invoking UCX$STARTUP in SYSTARTUP_VMS.COM.  You'll not 
find UCX / TCP/IP startup in SYSMAN.


> I'm going to try re-doing the telnet service to see if I can get it 
> disabled at startup.  If that doesn't work, then I'll try the modified 
> sylogin.com and "set log/int=0" command.  Unless someone posts 
> something better ...

Fix the actual problem.  Yank OPER.  Clean up the mess.  Upgrade to 
more current versions.

Seriously: if you do not have the support of your management to start 
to fix this stuff, then you're doomed from the start — you're just 
continuing the same path that led to what you're seeing, and you're in 
an untenable position.   Explain what you've discussed here to your 
boss, and show what the effort will be to allow these folks to continue 
to have their privileges, versus the effort involved with using the 
supported mechanisms and with non-privileged users; with TMPMBX and 
NETMBX and not OPER, or higher privileges.  (OPER, BTW, can be used to 
cause other system chaos when in the right — wrong? — hands.)

-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list