Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!husc6!think!ames!ucbcad!ucbvax!MGHCCC.HARVARD.EDU!smith%eri.DECnet From: smith%eri.DECnet@MGHCCC.HARVARD.EDU ("ERI::SMITH") Newsgroups: comp.os.vms Subject: Security problem in DQS Message-ID: <8712050259.AA29107@ucbvax.Berkeley.EDU> Date: Fri, 4-Dec-87 15:40:00 EST Article-I.D.: ucbvax.8712050259.AA29107 Posted: Fri Dec 4 15:40:00 1987 Date-Received: Thu, 10-Dec-87 06:00:04 EST Sender: usenet@ucbvax.BERKELEY.EDU Reply-To: "ERI::SMITH"Organization: The ARPA Internet Lines: 38 In the process of installing DQS (the distributed queue service), I was mildly surprised to discover what looks to me like a fairly gross security problem with its installation procedure. I'm not a security maven. I don't think there's any harm in discussing it because if I've noticed it, it's obvious. And if I'm wrong and it's not a problem, I'd like someone to explain to me why it isn't. During VMSINSTAL, on a server node, DQS creates an account for its own use. More specifically, the account is for use by a network object that is part of DQS. It also creates a startup .COM file, to be invoked in your SYSTARTUP and executed whenever the system is booted. The file contains the NCP commands to DEFINE and SET the network object, and it contains the password for the account which the network object uses. In other words, it writes a permanent file which contains an account password in it. Worse yet, it's a file that a) is REALLY permanent, since it's going to be invoked by SYSTARTUP, b) is a file that has a well-defined name, resides in a well-defined place, and refers to an account that has a well-defined name and UIC. They encourage you to let the installation process generate a random password for you rather than choosing one yourself. Hey, it's better than "MANAGER". And the account is only authorized for network access. I mean, _I_ don't know enough to exploit the hole it produces. But I thought writing account passwords into files was a no-no. -------------------------------------------------------------------- Daniel P. B. Smith ARPA: smith%eri.decnet@mghccc.harvard.edu Eye Research Institute CompuServe: 74706,661 20 Staniford Street Telephone (voice): 617 742-3140 Boston, MA 02114 -------------------------------------------------------------------- "We are in great haste to construct a magnetic telegraph from Maine to Texas; but Maine and Texas, it may be, have nothing important to communicate."--Thoreau ------