[Info-vax] Unexpected DECnet Phase IV functionality with possible captive account implications
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Tue May 11 13:34:27 EDT 2021
On 2021-05-11, Dave Froble <davef at tsoft-inc.com> wrote:
> On 5/11/2021 9:08 AM, Simon Clubley wrote:
>> Due to unexpected functionality, if you can get to the captive account
>> via a network login, you can directly execute any DCL commands you choose
>> regardless of whatever the login command procedure does in terms of
>> interactive user input when you login from a terminal session.
>
> Not "unexpected functionality".
>
> A captive user, unless set up to do so, cannot create any command files.
> So no choices available.
>
You cannot protect against something you didn't know about or when the
security implications of that something were not explained well enough
in the manuals.
I only found out about the remote batch submission capability after
reading the FAL specification recently and that's from someone who
has been actively discussing security issues in VMS for a number of years.
BTW, does anyone know if there are similar submit on close or submit
on transfer complete functions in the implementation of the other VMS
communication protocols that would work just fine with captive accounts ?
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
More information about the Info-vax
mailing list