Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.3 4.3bsd-beta 6/6/85; site ucbvax.BERKELEY.EDU
Path: utzoo!decvax!bellcore!ulysses!mhuxr!mhuxn!ihnp4!ucbvax!info-vax
From: garry@GEOLOGY ("Garry Wiegand ", et al)
Newsgroups: mod.computers.vax
Subject: Re: VMS security problem
Message-ID: <8602082235.AA05396@ucbvax.berkeley.edu>
Date: Sat, 8-Feb-86 17:36:21 EST
Article-I.D.: ucbvax.8602082235.AA05396
Posted: Sat Feb  8 17:36:21 1986
Date-Received: Sun, 9-Feb-86 02:12:02 EST
Sender: daemon@ucbvax.BERKELEY.EDU
Reply-To: "Garry Wiegand (et al)" <garry@geology>
Organization: The ARPA Internet
Lines: 34
Approved: info-vax@sri-kl.arpa

[The previously posted fix to the VMS 4.2 security hole was not complete...
 I *hope* this one is!]

Everyone should add the following 2 lines to SYSTARTUP:

    $ SET ACL/OBJ=LOGICAL/ACL=(ID=[*,*],ACCESS=READ) LNM$SYSTEM_TABLE
    $ SET ACL/OBJ=LOGICAL/ACL=(ID=[*,*],ACCESS=READ) LNM$SYSTEM_DIRECTORY

*** Failure to do this will allow anyone who's read the network news ***
*** to do anything they please on your system.                       ***

If there are any groups that *mix* privileged and non-privileged users,
the relevant group tables should be explicitly created and protected
in SYSTARTUP as well. The closest I've been able to come from DCL is:

    $ SET UIC [xxx,0]
    $ CREATE/NAME/EXEC/PAR=LNM$SYSTEM_DIRECTORY /PROTECTION=(S:RWED,O,G:R,W) -
	LNM$GROUP_000xxx
    $ SET ACL/OBJ=LOGICAL/ACL=((ID=[xxx,*],ACCESS=READ),(ID=[*,*],ACCESS=NONE))-
	LNM$GROUP_000xxx

where 'xxx' is the exactly-3-digit group number.

Note: I have not been able to find a way for a non-privileged user to use 
ACL's to break a "JOB" or "PROCESS" table --- but it seems like it ought
to be do-able. Anyone know? 

This is the third time (at least) this bug has been mentioned on the net --
be nice to your neighboring system gurus -- PASS THE WORD.


garry wiegand
garry%geology@cu-arpa
------