[Info-vax] Restrict the use of SUBMIT/USER= to one particular user.

[John Reagan]

On Monday, November 14, 2016 at 7:33:15 PM UTC-5, Stephen Hoffman wrote:
> On 2016-11-14 19:30:42 +0000, John Reagan said:
> 
> > Did you see Hoff's suggestion that you don't even need your own .CLD?
> 
> That, and that this approach is UTTERLY INSECURE?
> 
> > - Copy SUBMIT.EXE to SUBMIT_WITH_CMKRNL.EXE
> > - Apply sufficient protection/ACLs to SUBMIT_WITH_CMKRNL.EXE
> > - Install SUBMIT_WITH_CMKRNL.EXE with CMKRNL
> > - Prior to using the SUBMIT command, define a /USER logical SUBMIT to 
> > point to SUBMIT_WITH_CMKRNL.EXE
> > - Use normal SUBMIT command but it will use SUBMIT_WITH_CMKRNL.EXE 
> > (assuming you have access to the .EXE)
> 
> Did I mention that you should just GRANT CMKRNL to EVERYBODY, because 
> at least that's being honest about the COMPLETE INSECURITY of this 
> approach?
> 
> 
> -- 
> Pure Personal Opinion | HoffmanLabs LLC

It isn't quite that bad.  Reusing SUBMIT.EXE with an ACL like

(IDENTIFIER=JREAGAN,ACCESS=READ+EXECUTE)
(IDENTIFIER=[*,*],ACCESS=NONE)

does trust that I just do

SUBMIT/USER=OUR_SPECIAL_ACCOUNT FOO.COM

and not

SUBMIT/USER=SYSTEM FOO.COM

where FOO.COM is

MCR AUTHORIZE MODIFY JREAGAN /PRIV=SETPRV

The better method is to write a separate program that uses $SNDJBC with a hardcoded USERNAME argument; install that program with CMKRNL; and protect it with 

(IDENTIFIER=JREAGAN,ACCESS=READ+EXECUTE)
(IDENTIFIER=[*,*],ACCESS=NONE)

I was just pointing out that if one wants to re-use SUBMIT.EXE, you can get away without making your own .CLD which will break come the day we add something to SUBMIT.EXE/SUBMIT.CLD and the old SUBMIT_CLONE.CLD doesn't have the new DCL syntax.