[Info-vax] VMS and MFA?

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Fri Aug 21 18:22:54 EDT 2020 

On 2020-08-21 13:58:45 +0000, geze... at rlgsc.com said:

Google Groups quoting has seemingly become an even bigger trash-fire?  
I might have to write a macro to untangle that quote.

> On Thursday, August 20, 2020 at 9:51:54 PM UTC-4, Dave Froble wrote:
>> On 8/20/2020 6:22 PM, geze... at rlgsc.com wrote:> > On Thursday, August 
>> 20, 2020 at 4:07:48 PM UTC-4, Dave Froble wrote:> >> On 8/20/2020 12:45 
>> PM, geze... at rlgsc.com wrote:> >>> On Thursday, August 20, 2020 at 
>> 12:02:21 PM UTC-4, Stephen Hoffman wrote:> >>>> On 2020-08-20 07:12:01 
>> +0000, Dave Froble said:> >>>>> >>>>> I'm aware there are multiple 
>> methods to achieve desired results. But> >>>>> I'm curious, why get 
>> into the complexity of rightslist entries?> >>>> That's using OpenVMS 
>> enforcement for access.> >>>>> A captive account, with...
> 
> Writing one's own security system separate from the underlying OS 
> creates, at a minimum, the potential for a rupture between the OS-level 
> security and the local security code. The gap or inconsistency leads to 
> hazards. I have seen applications with elevated privileges and 
> roll-your-own security. This is a bad combination.

That's be typical.

My favorite "fun" with home-grown security code in some app or layered 
product. Some app returns SS$_NOPRIV, for instance. Looking for the 
trigger for that error in the system logs is then an exercise in 
frustration.

Home-grown code can work great, but code that gets some investments 
generally has better features and more capabilities, as well as other 
advantages. Work on home-grown code can get to the good-enough stage, 
and then tends to slow or stop.

OpenVMS itself suffers from cases where some common operations are 
effectively re-written multiple times and separately across various 
OpenVMS facilities—file handling is one of the more common cases—and 
the results of each write or rewrite tend to fall short of a more 
complete and more packaged and more polished and more maintainable 
approach.

Security code in particular tends to be subtle. Such as an app 
reporting an access error for an accessor with a system UIC and without 
an ALL-class privilege, when the system mask should have been selected 
and used for the case.

-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list