[Info-vax] How do I make zip, unzip etc. available to all users?

Sat Jan 9 11:18:29 EST 2016

On 2016-01-09 15:30:52 +0000, abrsvc said:

>> 
>> Live patches have been around for Unix for a while with now-at-Oracle 
>> Ksplice, and similar capabilities has been added to Linux 4.   That 
>> kernel patching infrastructure is, of course, a non-trivial part of how 
>>  far behind OpenVMS is, in this area.   OpenVMS can't manage to unload 
>> device drivers, for that matter.
> 
> I'm not convinced that allowing kernel level patching is a god thing 
> with a running system.

Few will, either.  Certainly not until after they've tested the 
operations on a non-critical server.

>  Doesn't that provide a rather large invitation to problems?

Doesn't not-patching invite rather large (known) problems?

> How much easier would it be to install viruses at the OS level should 
> this be allowed?

How many folks here have downloaded a pre-built version of zip and 
unzip from somewhere?   That's a far simpler path than installing 
malware via a live-patch.   (Who do you go after, if you want to nail 
an OpenVMS system?   Start with Hunter, Brian and Jur.   More than a 
few OpenVMS sites trust those folks with our servers, after all.  Be 
patient.  See where your malware gets.)

How many folks are down-revision on their server versions and patches?  
 That's far simpler than malware via a live-patch.

If you're in the pre-millennial era with your applications and servers 
and have your servers entirely firewalled in your DC, maybe you don't 
patch.   But when somebody gets 'phished and prints a PDF to a 
down-revision printer that happens to be located on the cluster LAN, 
that's simpler than installing a live-patch.

If your servers are entirely walled off in the DC, maybe you have 
credentials embedded in the configuration or there's telnet or ftp in 
use or your administrators get themselves phished for their creds.   
That's simpler than acquiring malware via a live-patch.

Now if the servers are network-accessible or web-facing or if you 
correctly do not trust that your network and your infrastructure is 
actually wholly isolated from The Bad People — which is a situation 
that more than a few of the OpenVMS servers I deal with are in — 
then... you might have a problem with down-revision software.  Prompt 
patching is the usual solution.

Live-patching can potentially help with application uptime, if your 
applications can't tolerate failures and aren't coded for fail-over or 
checkpoint-restart.

Now there could certainly be some improvements made to the tools used 
for verification and application signing — I believe I've occasionally 
mentioned that network transport and certificate security is 
ever-so-slightly problematic on OpenVMS — that'd be a welcome 
improvement.   The core security implementation on OpenVMS is based on 
decade-outdated and long-deprecated CDSA open-source code.    
Interestingly, AFAICT the HPE folks seem to have decided to bypass the 
integrated CDSA tools for their current kit-signing implementation, 
too.  Not that anything could be inferred from that decision, of course.

So.... sure.... Yes.  It's possible there'll eventually be malware 
acquired via live-patching.   We should be so lucky, really.

-- 
Pure Personal Opinion | HoffmanLabs LLC