[Info-vax] Unexpected DECnet Phase IV functionality with possible captive account implications

Dave Froble davef at tsoft-inc.com
Wed May 12 20:13:07 EDT 2021 

On 5/12/2021 1:34 PM, Simon Clubley wrote:
> On 2021-05-12, Dave Froble <davef at tsoft-inc.com> wrote:
>> On 5/12/2021 8:10 AM, Simon Clubley wrote:
>>>
>>> As I have already mentioned, someone can also copy a command procedure
>>> of their choosing to the captive account using FAL and then execute the
>>> command procedure using one of the two methods.
>>>
>>
>> Ok. who can create and copy the command procedure?
>>
>
> Now you are just trolling David. However, just in case you really
> are serious:

I am very serious.

> Anyone on the network with a DECnet client and an editor. The DECnet
> client doesn't even have to be a VMS-based DECnet client.
>
>> If limiting activity to the captive account, just how does it get these
>> command procedures, and how does it copy them?
>>
>
> They are pushed to the captive account from across the network.
> They are not pulled from the captive account.

How does this happen, unless they have write access to the UIC of the 
captive account?  If they have write access, then they are authorized to 
do so.

> To stop this, you have to make absolutely 100% sure that network
> mode access is blocked in the captive account. Apart from configuration
> mistakes or omissions that might be made in this area, then for some
> usage cases you simply cannot do that.

Makes me wonder if you actually use VMS ...

>> What you're assuming is that a user already has these authorized
>> capabilities, and if so, then it is "authorized capabilities".
>>
>
> Well, that's a load of nonsense David.

No, that is exactly what we are discussing.

Any user can only do what they are authorized to do.  They cannot access 
any files they do not have access to.  They cannot place files in any 
directory they do not have access to.

> A user may be authorised to do whatever they want in a non-privileged
> account or on another non-critical machine on the network but they are
> restricted to a specific workflow when using the captive account on the
> target machine.
>
> That doesn't stop them from creating a command procedure with the commands
> they would like to run (but are blocked from doing so in their authorised
> accounts) and then copying it to the captive account where they can
> actually execute those commands.

If they do not have access, as in write privs, to the captive account, 
they just how does that happen?


-- 
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486

More information about the Info-vax mailing list