[Info-vax] The best VMS features, was: Re: openvms renaming file
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Mon May 28 17:41:06 EDT 2018
On 2018-05-28, Arne Vajhøj <arne at vajhoej.dk> wrote:
>
> If we agree that there are valid reasons to have both EXEC and
> KRNL mode, then let us get to whether we need two privs CMEXEC
> and CMKRNL or just one CMKRNL.
>
> De facto then both CMEXEC and CMKRNL implies full privs. So
> there is no security difference.
>
I see what you are saying now. Given the way you worded it, I thought
you were maybe thinking I was talking about $CMEXEC the system service,
not CMEXEC the privilege.
> But there can be other reasons.
>
> Protection against mistakes. If some code is supposed
> to only call SYS$CMEXEC but not SYS$CMKRNL and only
> get granted CMEXEC then it will actually fail if it
> mistakenly calls SYS$CMKRNL.
>
Technically you are correct, but I suspect there would be a whole
set of bugs in the code encountered first before that one was hit
(and missed during peer review).
> (malicious code could call SYS$CMEXEC and then
> SYS$CMKRNL but we are talking buggy code not
> malicious code here)
>
> Encapsulation. If the rule about EXEC mode
> always allowing SYS$CMKRNL was ever changed, then
> having two privs will save a lot of spillover
> changes.
>
I suspect there would have to be a major rewrite of parts of VMS
(and associated applications) before that happened.
> Documentation. CMEXEC priv to call SYS$CMEXEC and
> CMKRNL priv to call SYS$CMKRNL is sort of easy
> to remember. CMKRNL priv to call SYS$CMEXEC is
> a bit confusing.
>
$ set response/mode=good_natured
Of course, the official way to get into supervisor mode does
kind of damage that argument. :-)
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list