[Info-vax] Restrict the use of SUBMIT/USER= to one particular user.
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Wed Nov 9 10:06:25 EST 2016
On 2016-11-08 13:11:17 +0000, Roy Omond said:
While certainly expedient, I'm cautious around whether this "XUBMIT"
approach is secure. Where do the logs and notifications and the rest
go, for instance? Can the logs be written, or can something be
intentionally overwritten? Are logs always created and always
preserved? Can a random user simply access the installed "XUBMIT.EXE"
image — possibly with their own verb-extracted XUBMIT definition if
that's the "protection" here, or by redirecting SUBMIT to XUBMIT via
logical name with the existing verb definition — and submit their own
"goodies" to execute under some other specified username, for instance?
> You *really* have to work with the current SUBMIT command language definition.
Which can change from time to time, too. Plan to have to fix this
"XUBMIT" approach on occasion.
> The one you found in Sys$Update: is ancient and no longer corresponds
> to your current SUBMIT.EXE image.
That is an OpenVMS bug.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list