[Info-vax] Unexpected DECnet Phase IV functionality with possible captive account implications

Thu May 13 13:58:57 EDT 2021

On 2021-05-13, Mark Berryman <mark at theberrymans.com> wrote:
> On 5/12/21 10:14 PM, Simon Clubley wrote:
> > .
> > .
> > .
>> The point is that if they have network access, they can copy over
>> a filename of their choosing to the captive account and then execute
>> that file while still in network access mode, without ever having
>> to go anywhere near an interactive login in order to execute the
>> command file they have just transferred.
>> 
>
> As I believe I have effectively demonstrated, no they can't.  Why do you 
> continue to exist they can?
>

No you haven't Mark. There's no way in hell that you have even come
_close_ to demonstrating that.

All you have been able to demonstrate is that someone with detailed
knowledge of VMS (ie: you) and the time to experiment has been able
to implement something that addresses my concerns, and only by outright
denying network access to the captive account.

Now what about the average system manager or someone who has been given
some VMS systems to manage along with other systems but is not a VMS expert ?

What if they fail to write the perfect captive command procedure which
falls through instead of doing an explicit logout ?

What if they actually _do_ need to allow network access to the captive
account so files can be dropped into the account for later processing ?

In your worldview Mark, are these people solely responsible for any VMS
security issues simply because they didn't fully grasp the security
implications of some unknown to them concepts specific to VMS such as
task-to-task communications and remote batch submission ?

Did they even think about these concepts in the first place because the
documentation wasn't explicit enough about pointing out the security
implications of this functionality ?

In your worldview Mark, are they expected to read every single page
of the VMS documentation, eventually find the bit about SUBMIT/REMOTE
and then magically connect that to the captive account they setup ?

VMS should be secure by default and have multiple layers of protection
to help stop people from doing the wrong thing by mistake.

This is why I am annoyed with Doug's dismissive response. At a technical
level, he is correct. At a practical level, he is wrong because DECnet
should have some better controls than it currently does, with active
functionality disabled especially for captive accounts until explicitly
enabled by the system manager for an account.

So no Mark, you have not even come close to demonstrating that,
especially for systems which might be managed by people without the
level of knowledge that you have.

Simon.

PS: I wonder how many people have read my postings about this and
have then promptly gone off to check their captive account setups
in light of the active functionality I have highlighted ?

I wonder how many of them promptly found issues which they have now fixed ?

To those of you who did, you are welcome and I'm glad I could help.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.