[Info-vax] Unexpected DECnet Phase IV functionality with possible captive account implications

[Simon Clubley]

On 2021-05-12, Dave Froble <davef at tsoft-inc.com> wrote:
> On 5/12/2021 8:10 AM, Simon Clubley wrote:
>>
>> As I have already mentioned, someone can also copy a command procedure
>> of their choosing to the captive account using FAL and then execute the
>> command procedure using one of the two methods.
>>
>
> Ok. who can create and copy the command procedure?
>

Now you are just trolling David. However, just in case you really
are serious:

Anyone on the network with a DECnet client and an editor. The DECnet
client doesn't even have to be a VMS-based DECnet client.

> If limiting activity to the captive account, just how does it get these 
> command procedures, and how does it copy them?
>

They are pushed to the captive account from across the network.
They are not pulled from the captive account.

To stop this, you have to make absolutely 100% sure that network
mode access is blocked in the captive account. Apart from configuration
mistakes or omissions that might be made in this area, then for some
usage cases you simply cannot do that.

> What you're assuming is that a user already has these authorized 
> capabilities, and if so, then it is "authorized capabilities".
>

Well, that's a load of nonsense David.

A user may be authorised to do whatever they want in a non-privileged
account or on another non-critical machine on the network but they are
restricted to a specific workflow when using the captive account on the
target machine.

That doesn't stop them from creating a command procedure with the commands
they would like to run (but are blocked from doing so in their authorised
accounts) and then copying it to the captive account where they can
actually execute those commands.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.