Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.3 4.3bsd-beta 6/6/85; site ucbvax.BERKELEY.EDU
Path: utzoo!watmath!clyde!burl!ulysses!ucbvax!UWAV4.BITNET!02335
From: 02335@UWAV4.BITNET
Newsgroups: mod.computers.vax
Subject: BITNET mail follows
Message-ID: <8603110825.AA09938@ucbvax.berkeley.edu>
Date: Tue, 11-Mar-86 03:25:23 EST
Article-I.D.: ucbvax.8603110825.AA09938
Posted: Tue Mar 11 03:25:23 1986
Date-Received: Wed, 12-Mar-86 06:06:22 EST
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The ARPA Internet
Lines: 69
Approved: info-vax@sri-kl.arpa


>
>[The previously posted fix to the VMS 4.2 security hole was not complete...
> I *hope* this one is!]
>
>Everyone should add the following 2 lines to SYSTARTUP:
>
>    $ SET ACL/OBJ=LOGICAL/ACL=(ID=[*,*],ACCESS=READ) LNM$SYSTEM_TABLE
>    $ SET ACL/OBJ=LOGICAL/ACL=(ID=[*,*],ACCESS=READ) LNM$SYSTEM_DIRECTORY
>
>*** Failure to do this will allow anyone who's read the network news ***
>*** to do anything they please on your system.                       ***
>
>If there are any groups that *mix* privileged and non-privileged users,
>the relevant group tables should be explicitly created and protected
>in SYSTARTUP as well. The closest I've been able to come from DCL is:
>
>  $ SET UIC [xxx,0]
>  $ CREATE/NAME/EXEC/PAR=LNM$SYSTEM_DIRECTORY /PROTECTION=(S:RWED,O,G:R,W) -
>  LNM$GROUP_000xxx
>  $ SET ACL/OBJ=LOGICAL/ACL=((ID=[xxx,*],ACCESS=READ),(ID=[*,*],ACCESS=NONE))-
>  LNM$GROUP_000xxx
>
>where 'xxx' is the exactly-3-digit group number.
>

I think this way is cleaner...
For what it's worth, here is what I have in our startup procedure:

$! Protect system logical tables
$!
$  SET ACL/OBJ=LOGICAL/ACL=(ID=[*,*],ACCESS=READ) LNM$SYSTEM_TABLE
$  SET ACL/OBJ=LOGICAL/ACL=(ID=[*,*],ACCESS=READ) LNM$SYSTEM_DIRECTORY
$!
$! Create the group 11 and 12 logical tables
$!
$  RUN/INPUT=NLA0:/UIC=[11,0] SYS$SYSTEM:LOGINOUT
$  RUN/INPUT=NLA0:/UIC=[12,0] SYS$SYSTEM:LOGINOUT
$!
$! Protect group tables for groups 11 and 12 (these have mixed users)
$!
$  SET ACL/OBJ=LOGICAL/ACL=((ID=[11,*],ACCESS=READ),-
                            (ID=[*,*], ACCESS=NONE)) LNM$SYSTEM_TABLE
$  SET ACL/OBJ=LOGICAL/ACL=((ID=[12,*],ACCESS=READ),-
                            (ID=[*,*], ACCESS=NONE)) LNM$SYSTEM_DIRECTORY
$!


The trick here is that once a process is created under a given
uic, the group table will be created and will exist until the
next crash or shutdown.

I hope this makes things easier, it sure did for me!

Tony Andrea

Engineering Computer Services
University of Washington

BITNET:      02335 at UWAV4
ARPA/CSNET:  02335%uwav4.bitnet@wiscvm.arpa
DECnet:      VAX4::02335
Phone:       (206)543-0499
Mail:        Computer Services
             374 Loew Hall, FH-10
             University of Washington
             Seattle, WA  98195

*** Standard denial of everything...