[Info-vax] Unexpected DECnet Phase IV functionality with possible captive account implications

Fri May 14 23:20:17 EDT 2021

On 5/14/2021 10:35 AM, Simon Clubley via Info-vax wrote:
> On 2021-05-14, Mark Berryman <mark at theberrymans.com> wrote:
>> On 5/14/21 6:37 AM, Simon Clubley wrote:
>>> On 2021-05-13, Mark Berryman <mark at theberrymans.com> wrote:
>>>> On 5/13/21 11:58 AM, Simon Clubley wrote:
>>>>>
>>>>> All you have been able to demonstrate is that someone with detailed
>>>>> knowledge of VMS (ie: you) and the time to experiment has been able
>>>>> to implement something that addresses my concerns, and only by outright
>>>>> denying network access to the captive account.
>>>>
>>>> Wrong.  I did not.  There was no denying network access whatsoever.
>>>
>>> Yes, you did Mark. You used the f$mode() technique followed by an
>>> explicit logout and that's an outright blocker for the modes you
>>> want to deny. I've used the same technique myself in the past for
>>> the same reason.
>>
>> Quoting from my original posting, here are the contents of the captive
>> procedure I used:
>>
>>> $ @ssl111$com:ssl111$cert_tool.com
>>> $ logout
>>
>
> That's from your first example Mark which also outright denies
> access to network mode by means of the logout statement without
> even checking any modes.
>
> Your second example, which does use f$mode(), and is a better way
> to achieve this, also outright denies access to network mode, but
> in a more controlled way.
>
> Simon.
>

I used f$mode() long before I made a CAPTIVE account.  In fact,
management, at multiple companies, didn't know enough to even ask for
such accounts.  The last company at which I implemented CAPTIVE
accounts, I was asked to give some "help desk" people the ability to
create accounts for others.  _I_ chose how to implement this.  _I_
decided on how to limit them.  _I_ locked them into a menu that allowed
them to enter the new user's full name, then my command procedure found
an unused member number of the only group to which they could be added,
and created a username based on the entered full name, but unique.  The
procedure then creates the account and displays the full output from
AUTHORIZE.  They then get to select to accept it or not.  If they do not
accept it, it is deleted.  If it is accepted, the user directory is
created with the correct owner and protection mask, the appropriate
login command procedure is put in place, and likely some other items
were set up.  The "help desk" users also set application permissions
through the same menu.  Since I created that setup more than 15 years
ago, it's hard to remember all the details, but I had it tightly locked
down.
The interesting thing is that there was no one known to me in that
company that had near the knowledge of the operating system, but not
because they didn't have as much time to learn about it.  Rather, they
didn't have the interest.  They were more concerned about the business,
and ultimately they finished their transition to Windows.
They have not managed to always keep Windows secure.  There were many
Windows Administrators.  VMS was not exploited during my tenure.

One thing I will say about management, is that they will demand lower
security when it suits their purposes.  I did work for a company where
the management insisted they wanted the VMS password minimum length to
be four (4) characters.  Ouch.  Fortunately, it was behind a firewall.
Still, the VMS system wasn't compromised.  I don't know about their
other systems.

In the end, I was a programmer who was interested in making best use of
the operating system, in a shared way.  I was interested in the
operating system features.  I explored it and read about it.  The
president of the software company, where I worked, subscribed to DEC
Professional, and I read every issue I found.  In fact, I took every
issue home, when they were throwing them out.  I think I still have
them.  So you see, it was not that I needed special training paid for by
my employer, though I sure wish I could have attended a DEC Symposium,
but I just wanted to know.  Unfortunately, I never had opportunity to
create a cluster with VMS.