[Info-vax] Unexpected DECnet Phase IV functionality with possible captive account implications
Dave Froble
davef at tsoft-inc.com
Thu May 13 00:45:52 EDT 2021
On 5/13/2021 12:25 AM, Simon Clubley wrote:
> On 2021-05-12, Dave Froble <davef at tsoft-inc.com> wrote:
>> On 5/12/2021 1:34 PM, Simon Clubley wrote:
>>> On 2021-05-12, Dave Froble <davef at tsoft-inc.com> wrote:
>>>> On 5/12/2021 8:10 AM, Simon Clubley wrote:
>>>>>
>>>>> As I have already mentioned, someone can also copy a command procedure
>>>>> of their choosing to the captive account using FAL and then execute the
>>>>> command procedure using one of the two methods.
>>>>>
>>>>
>>>> Ok. who can create and copy the command procedure?
>>>>
>>>
>>> Now you are just trolling David. However, just in case you really
>>> are serious:
>>
>> I am very serious.
>>
>>> Anyone on the network with a DECnet client and an editor. The DECnet
>>> client doesn't even have to be a VMS-based DECnet client.
>>>
>>>> If limiting activity to the captive account, just how does it get these
>>>> command procedures, and how does it copy them?
>>>>
>>>
>>> They are pushed to the captive account from across the network.
>>> They are not pulled from the captive account.
>>
>> How does this happen, unless they have write access to the UIC of the
>> captive account? If they have write access, then they are authorized to
>> do so.
>>
>
> Because they use FAL to login _as_ the captive account. They do not
> log into FAL as themselves.
>
>>> To stop this, you have to make absolutely 100% sure that network
>>> mode access is blocked in the captive account. Apart from configuration
>>> mistakes or omissions that might be made in this area, then for some
>>> usage cases you simply cannot do that.
>>
>> Makes me wonder if you actually use VMS ...
>>
>
> I suspect you are in one of those moods of yours where you sometimes
> pretend not to understand anything in order to mess with people...
>
>>>> What you're assuming is that a user already has these authorized
>>>> capabilities, and if so, then it is "authorized capabilities".
>>>>
>>>
>>> Well, that's a load of nonsense David.
>>
>> No, that is exactly what we are discussing.
>>
>> Any user can only do what they are authorized to do. They cannot access
>> any files they do not have access to. They cannot place files in any
>> directory they do not have access to.
>>
>
> Captive accounts are unique in VMS in that the user gets access to
> an account with elevated privileges that you would never give them
> normally if they had free access to the account.
Where did "elevated privileges" come from. Not for my captive users.
That's a different topic. I'm talking a user account with perhaps
TMPMBX and NETMBX.
--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486
More information about the Info-vax
mailing list