Path: utzoo!mnetor!uunet!seismo!sundc!pitstop!sun!amdcad!ames!ucbcad!ucbvax!VENUS.YCC.YALE.EDU!LEICHTER
From: LEICHTER@VENUS.YCC.YALE.EDU ("Jerry Leichter ", LEICHTER-JERRY@CS.YALE.EDU)
Newsgroups: comp.os.vms
Subject: re: Tightening Security
Message-ID: <8801082327.AA20868@ucbvax.Berkeley.EDU>
Date: 7 Jan 88 17:04:00 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The ARPA Internet
Lines: 27


	      I am attempting to tighten security here at our site.  I wish to
	remove NETMBX privileges to secure from the hole in DECNET with
	respect to MAIL.

This is the second time I've seen almost these exact words, from the same
author, I believe; but I've heard of no "security hole" anywhere else.  Are
you talking about the ability to forge who VMS MAIL is from?  If so, you are
imposing a rather large inconvenience on users by removing NETMBX for a rather
minor increase in security; I wouldn't want to place bets on mail return
addresses being unforgeable even without NETMBX.  (Certainly any security
would only be on the single system - any system that could talk DECnet to
it could lie.)

If this is NOT what you are talking about, could you at least indicate where
you heard of this hole, and give a brief description of what is being compro-
mised?  {You needn't, and shouldn't, provide enough detail for others to make
use of the hole, but it should be possible to describe it well enough so that
system managers can determine if it is a problem for them.)

	     [Removing NETMBX and installing MAIL with NETMBX works, but] is
	there a way to remove NETMBX and continue to allow users to SET HOST
	or is it wishful thinking?

Try INSTALLing SYS$SYSTEM:RTPAD.EXE with NETMBX; it's the image SET HOST
runs.
							-- Jerry