[Info-vax] Apache + mod_php performance
Mark Daniel
mark.daniel at wasd.vsm.com.au
Fri Oct 11 19:08:52 EDT 2024
On 12/10/2024 08:13, Craig A. Berry wrote:
>
> On 10/11/24 1:56 PM, Dan Cross wrote:
8< snip 8<
>> Surely the device protection field here is misleading, at best?
>
> Well, you _can_ change the values:
>
> $ show security/class=device bg111
>
> _BG111: object of class DEVICE
> Owner: [SYSTEM]
> Protection: (System: RWPL, Owner: RWPL, Group: RWPL, World: RWPL)
> Access Control List: <empty>
>
> $ set security/class=device/protection=(w:r) bg111
> $ show security/class=device bg111
>
> _BG111: object of class DEVICE
> Owner: [SYSTEM]
> Protection: (System: RWPL, Owner: RWPL, Group: RWPL, World: R)
> Access Control List: <empty>
>
> Note that World is now read, but write, physical, and logical have been
> removed. But I don't really know if that accomplished anything. It
> seems unlikely that BGDRIVER would just fill in values in a template
> that don't mean anything, but testing out exactly what the protections
> get you sounds like work.
Bit fiddly but to show the protections apply the original BG_EXAMPLE.C
was modified to wait for a read from the telnet connection
chan = decc$get_sdc (csock);
printf ("chan: %d\n", chan);
if (!chan) return (vaxc$errno);
cptr = GetBgDevice (chan);
printf ("BgDevice: |%s|\n", cptr);
memset (buf, 0, sizeof(buf));
count = recv (csock, buf, sizeof(buf), 0);
printf ("count: %d |%s|\n", count, buf);
if (count <= 0) return (vaxc$errno);
and the executable installed to provide the SHARE privilege for an
otherwise unprivileged account
X86VMS$ install replace DKA100:[SCRATCH]bg2_example.exe /priv=share
The listener output then became
X86VMS$ mcr []bg2_example
accept()
chan: 304
BgDevice: |BG11402:|
The SYSTEM account (fully privileged) could write to the socket
X86VMS$ mcr []bg2_example BG11402:
sys$setprv() %X00000001
sys$assign() %X00000001
sys$qiow() 14 %X00000001 %X00000001
write() 14 %X00000001
%TELNET-I-SESSION, Session 01, host localhost, port 8765
-TELNET-I-ESCAPE, Escape character is ^]
abcdefghij
klmnopqrst
As could the unprivileged account (using the INSTALLed SHARE privilege)
12-OCT-2024 09:26:08.36 User: MGD Process ID: 000045A3
Node: X86VMS Process name: "MGD"
Authorized privileges:
NETMBX TMPMBX
Process privileges:
NETMBX may create network device
TMPMBX may create temporary mailbox
X86VMS$ mcr []bg2_example BG11402:
sys$setprv() %X00000001
sys$assign() %X00000001
sys$qiow() 14 %X00000001 %X00000001
write() 14 %X00000001
but after modifying the BG device security (pasted as quotation to
circumvent wrapping)
> X86VMS$ set sec BG11402: /class=device /prot=(world)
> X86VMS$ show dev /full BG11402:
>
> Device BG11402:, device type unknown, is online, mounted, record-oriented
> device, network device, mailbox device.
>
> Error count 0 Operations completed 2
> Owner process "FTA10_SYSTEM" Owner UIC [SYSTEM]
> Owner process ID 00001599 Dev Prot S:RWPL,O:RWPL,G:RWPL,W
> Reference count 1 Default buffer size 256
X86VMS$ mcr []bg2_example BG11402:
sys$setprv() %X00000001
sys$assign() %X00000024
write() -1 %X0000013C
X86VMS$ exit %X00000024
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
X86VMS$ exit %X00000024
while the owner (SYSTEM) continued to have access
X86VMS$ mcr []bg2_example BG11402:
sys$setprv() %X00000001
sys$assign() %X00000001
sys$qiow() 14 %X00000001 %X00000001
write() 14 %X00000001
--
Anyone, who using social-media, forms an opinion regarding anything
other than the relative cuteness of this or that puppy-dog, needs
seriously to examine their critical thinking.
More information about the Info-vax
mailing list