[Info-vax] Problem with Filezilla connecting to OpenVMS

Bill Gunshannon bill.gunshannon at gmail.com
Tue Dec 11 14:05:27 EST 2018 

On 12/11/18 1:40 PM, Dave Froble wrote:
> On 12/11/2018 1:15 PM, Simon Clubley wrote:
>> On 2018-12-11, Dave Froble <davef at tsoft-inc.com> wrote:
>>> On 12/11/2018 8:39 AM, Bill Gunshannon wrote:
>>>> On 12/11/18 8:19 AM, Simon Clubley wrote:
>>>>>
>>>>> BSS could run privileged programs just fine, but BSS, unlike DCL,
>>>>> will never, ever, see the privileges of the program it has just
>>>>> started.
>>>>>
>>>>> The only way for BSS to get privileges is to be run by a privileged
>>>>> user.
>>>>>
>>>>
>>>> Well, it's probably a matter of semantics, but a Unix Shell can be
>>>> made to run  with privilege when started by an ordinary user, but
>>>> that requires using a feature that has been considered dangerous and
>>>> a bad idea (even by the man who created it) for a long time.
>>>>
>>>
>>>   From what you're writing, he still created it.  Then the question
>>> becomes, how many use the capability.  Perhaps security is based upon
>>> usage, regardless of the OS capabilities?
>>>
>>
>> It was a joke David. :-)
>>
>> To enable the option Bill is thinking of, Brian would already need
>> to have root level access.
>>
>> In VMS land, it would be like saying yes, I can write a program as
>> a non-privileged user that runs with full privileges provided you
>> give me the password to SYSTEM and then let me use INSTALL to install
>> my program will full privileges. :-)
>>
>> Simon.
>>
> 
> Our users require SYSLCK.  On VAX it was simple, for me.  On Alpha it 
> was much harder, for me.  Ok, Dave's a dummy.  It was still much harder 
> for me.
> 
> So, there is a UWSS, installed with privs, on every user system.  Can it 
> be a security issue?  I don't know.  I will admit that just about 
> anything could ultimately be a security issue.
> 
> First point, there are users with privs, and they can, and do, install 
> images with privs.  It happens.
> 
> Second point, which you just don't seem to get.  One does what one has 
> to do to get the job done.  Without that, YOU DON'T EXIST!  It's just 
> that simple.
> 
> So, can there be security issues?  Yes, there can, and most likely are. 
>   We do what we can.  Expect more, if you wish to do so.  Doesn't mean 
> you're being rational.  Doesn't mean you're going to get any satisfaction.
> 
> 

All true and all accurate.  The only thing that has change since
the good old days is the environment.  All it takes is one slip
and you could be financially ruined. Or, worse still, in trouble
with the government who can be relentless and have  infinitely
deep pockets to come after you.  Security is a serious problem.

Hmmmm.  Now it makes me wonder even more about DISA's move to
stop approving or even inspecting VMS systems.  Maybe the
reason was because they determined nothing could make it meet
the requirements because so  much was deeply ingrained in the
system design.  Too bad there is no one to ask any more.

bill

More information about the Info-vax mailing list