[Info-vax] Unexpected DECnet Phase IV functionality with possible captive account implications

[Simon Clubley]

On 2021-05-10, Some Dude <dgordonatvsi at gmail.com> wrote:
> On Monday, May 10, 2021 at 2:20:19 PM UTC-4, Simon Clubley wrote:
>> I have come across some very unexpected DECnet Phase IV functionality 
>> while I was looking at the FAL specification. 
>> 
>> Did you know that you can directly submit batch jobs using FAL from 
>> across the network without having to go anywhere near a command prompt 
>> on the target system ? The command procedure runs on SYS$BATCH on 
>> the target system as the user you have logged into with FAL on the 
>> target system. 
>
> What Simon omits is that you are required to provide login credentials (absent a default FAL
> account which would leave your system vulnerable to many more interesting things.)
>

Er, Doug, that is implicit in how FAL and task-to-task communications
work. Just because someone thought that adding a feature to a protocol
or making it enabled by default was a good idea, doesn't mean that it
is, especially these days.

The whole point of running this by VSI first was that I found the
presence of this functionality to be very surprising, especially given
that the FAL specification says implementations should not have such
functionality.

It might also be surprising to someone setting up a DECnet network
that wasn't aware of these little extra features, especially given
how they relate to captive accounts.

> The response from VSI also included:
>
>  As such, outside the inherent security problems  with the unencrypted DECnet transport 
> itself...
>

I wonder if this works over one of the DECnet to TCP/IP protocols ?

Unfortunately, I don't have the setup to test that out.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.