[Info-vax] VMS and MFA?

geze...@rlgsc.com gezelter at rlgsc.com
Thu Aug 20 12:45:06 EDT 2020 

On Thursday, August 20, 2020 at 12:02:21 PM UTC-4, Stephen Hoffman wrote:
> On 2020-08-20 07:12:01 +0000, Dave Froble said: 
> 
> > I'm aware there are multiple methods to achieve desired results. But 
> > I'm curious, why get into the complexity of rightslist entries?
> That's using OpenVMS enforcement for access.
> > A captive account, with a menu of possible apps to run, pretty much 
> > locks a user into just those apps. Of course a menu utility that 
> > allows for custom menus for each user makes this simple. If a user 
> > somehow gets out of the allowed apps, being captive, the process is 
> > killed.
> The difference here is that OpenVMS enforces the access, in addition to 
> whatever enforcement logic is in the captive command procedure. 
> 
> This approach likely on the assumption that a captive command 
> procedure—any app, for that matter—might be vulnerable. 
> 
> And it means that the site folks don't have to mess with the DCL 
> procedure to change access, and don't need to implement their own 
> user-to-access mapping. 
> 
> Sandboxes use a similar approach, though those can permit or can block 
> APIs beyond what OpenVMS considers security-relevant objects. (As 
> differentiated from OOP.) 
> 
> In a way of consideration around isolation and permissions, sandboxes 
> are to identifiers as identifiers are to UIC-based protections.
> -- 
> Pure Personal Opinion | HoffmanLabs LLC
Dave,

Hoff stated what I did not make explicit.

The rightslist identifiers controlled the display of the menu items. However, that was not the end of the configuration. The specific executables in the menu items were similarly protected with only the identifier granting execute access.

Of course, the creation, granting, and revocation of identifiers was, from the perspective of day-to-day use completely encapsulated in a series of command procedures only usable by the designated supervisors. Besides the systems manager, no individuals had access to DCL outside of a captive command procedure.

- Bob Gezelter, http://www.rlgsc.com

More information about the Info-vax mailing list