[Info-vax] Unexpected DECnet Phase IV functionality with possible captive account implications
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Thu May 13 15:05:22 EDT 2021
On 2021-05-13 18:26:09 +0000, Dave Froble said:
> If a captive account needs network access, then something is very wrong
> in the design of the apps and implementation.
I tend to use networking, mailboxes, and/or subsystem identifiers to
partition the unprivileged and the privileged activities.
So some apps do have NETMBX.
OpenVMS unfortunately doesn't have anything akin to XPC services, or
sandboxing, or pledge, so we end up creating our own—with the
trade-offs and risks inherent.
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html
And this whole discussion is plunging toward discussions of app
sandboxing, an area where OpenVMS expects much and provides little.
And toward discussions of sandboxing and pledges that can restrict
where a given app can connect should that app be exploited, for
instance.
And of DCL networking, which is largely still stuck in the antediluvian era.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list