[Info-vax] Unexpected DECnet Phase IV functionality with possible captive account implications
Dave Froble
davef at tsoft-inc.com
Thu May 13 10:33:12 EDT 2021
On 5/13/2021 8:13 AM, Simon Clubley wrote:
> On 2021-05-13, Tad Winters <tad.vms at gmx.com> wrote:
>>
>> So you're saying that you want _one_ flag on a user account to not only
>> restrict interactive access to the defined login command procedure, but
>> to actually allow no other kinds of access? Perhaps the setting of that
>
> No. Some way of leaving the passive network file access capabilities
> active while disabling the active functionality by default.
>
> As hard as it might be for some people around here to understand this,
> security is a moving target and a design created several decades ago
> might just possibly need changing to reflect modern security knowledge
> and issues.
>
>> flag should implicitly mark the account with /NOBATCH /NONETWORK
>> /NOREMOTE. Maybe you'd also like to use /PWDMINIMUM=30? Should
>> AUTHORIZE confirm the login command procedure exists and then SET
>> SECURITY/CLASS=FILE/PROTECTION=(WORLD) {the command procedure filename}?
>>
>> Maybe AUTHORIZE should audit the content of the login command procedure
>> to make sure it will work as you intend. It will then also need to
>> translate SYS$SYLOGIN and audit that command procedure as well.
>>
>> What else do you need it to do?
>>
>
> People might think they are being clever with comments like this,
> but in reality it just makes them look ossified.
>
> Simon.
>
Perhaps it makes them appear knowledgeable and they realize how and why
to implement specific security, based upon real world requirements.
I'm not saying that everyone that ever managed a VMS system practiced
security, but many did, and do.
Most drivers keep their car on the road. If some don't, and end up
wrapped around a tree, is that the fault of the car? Perhaps today,
with self driving technology appearing, the car might avoid the trees,
but, just how new is that technology, and are we to scrap all cars
without it?
--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486
More information about the Info-vax
mailing list