[Info-vax] To MIME or not to MIME
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Thu Aug 2 08:35:19 EDT 2018
On 2018-08-01, Dave Froble <davef at tsoft-inc.com> wrote:
>
> Well, yes, don't use VMS for mail. Plenty of other platforms in use by
> those who deal with mail. VMS doesn't do so. But in many cases this
> doesn't distract from the usefullness of VMS.
>
I'm amused/sad that in 2018 we still need to have a detailed discussion
about how to read MIME messages on VMS.
>
> What surprises me is that there has not been one comment on Brian's
> practice to run things from the SYSTEM (I'm guessing) user account with
> a default directory of SYS$MANAGER:. I've always read that such is a
> good recipe for disaster. Guess I've been reading the wrong stuff.
>
Actually, I wrote such a comment and then I deleted it before posting
as I was expecting one of your "there goes Simon again, telling people
how to run their systems..." type responses and I didn't have enough
time at that point to get drawn into _that_ discussion. :-)
However, on a related matter, does the MIME utility drop the user's
privileges before processing the incoming MIME message ?
If it doesn't, I would strongly advise against running the MIME utility
from a privileged account in case someone finds a way to send you a
malformed email message that can trigger a vulnerability in the MIME utility.
Actually, thinking about it, it may be a good idea not to run the MIME
utility from a privileged account anyway because, if the vulnerability
turned out to be the execution of shellcode, then the shellcode could
probably just turn the privileges back on anyway.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list