[Info-vax] VMS and MFA?
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Thu Aug 20 12:02:16 EDT 2020
On 2020-08-20 07:12:01 +0000, Dave Froble said:
> I'm aware there are multiple methods to achieve desired results. But
> I'm curious, why get into the complexity of rightslist entries?
That's using OpenVMS enforcement for access.
> A captive account, with a menu of possible apps to run, pretty much
> locks a user into just those apps. Of course a menu utility that
> allows for custom menus for each user makes this simple. If a user
> somehow gets out of the allowed apps, being captive, the process is
> killed.
The difference here is that OpenVMS enforces the access, in addition to
whatever enforcement logic is in the captive command procedure.
This approach likely on the assumption that a captive command
procedure—any app, for that matter—might be vulnerable.
And it means that the site folks don't have to mess with the DCL
procedure to change access, and don't need to implement their own
user-to-access mapping.
Sandboxes use a similar approach, though those can permit or can block
APIs beyond what OpenVMS considers security-relevant objects. (As
differentiated from OOP.)
In a way of consideration around isolation and permissions, sandboxes
are to identifiers as identifiers are to UIC-based protections.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list