Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utgpu!water!watmath!clyde!rutgers!ames!lll-tis!ptsfa!ihnp4!cuae2!ltuxa!ttrdc!levy
From: levy@ttrdc.UUCP
Newsgroups: comp.os.vms
Subject: Re: installed images and security  (resent)
Message-ID: <1888@ttrdc.UUCP>
Date: Sun, 30-Aug-87 17:48:54 EDT
Article-I.D.: ttrdc.1888
Posted: Sun Aug 30 17:48:54 1987
Date-Received: Tue, 1-Sep-87 00:42:14 EDT
References: <8708280950.AA25855@ucbvax.Berkeley.EDU>
Organization: AT&T, Skokie, IL
Lines: 26

In article <8708280950.AA25855@ucbvax.Berkeley.EDU>, DIEHL%iravcl@germany.CSNET (Arno Diehl) writes:
>     Using [privileged program] there *is* a way to read *any* protected 
>     file, if  the directory containing that file allows at
>     least EXECUTE-access. (The reason is one of the various 
>     SET FILE ... commands)
> 
> --> DO NOT INSTALL ANY PROGRAM THAT READS USERFILES USING 
>     SYSPRV PRIVILEGE UNLESS YOU ARE *VERY* SURE THAT IT IS
>     SECURE!!!

I think this has already revealed the secret to anyone who has access to
online help or the VMS manuals and who has even half a brain.  Incidentally,
the same caution should apply to implementors of privileged programs on any
operating system which supports a similar function (I know of at least one
other than VMS which does, but at least that system provides ready support
for the privileged program to detect whether this is the case with a file
it is being asked to read).

Another bugaboo to watch out for is logical names.  Privileged programs should
be carefully written so as not to be tripped up by redefinitions of SYS$INPUT,
SYS$OUTPUT, SYS$ERROR, TT:, and the like.
-- 
|------------Dan Levy------------|  Path: ..!{akgua,homxb,ihnp4,ltuxa,mvuxa,
|         an Engihacker @        |		vax135}!ttrdc!ttrda!levy
| AT&T Computer Systems Division |  Disclaimer:  i am not a Yvel Nad
|--------Skokie, Illinois--------|