Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!cmcl2!nrl-cmf!ukma!psuvm.bitnet!cunyvm!unknown
From: rrk@byuvax.bitnet
Newsgroups: comp.os.vms
Subject: Re: Logical Names & CMU-TEK IP print spooler
Message-ID: <35rrk@byuvax.bitnet>
Date: Tue, 1-Dec-87 22:57:49 EST
Article-I.D.: byuvax.35rrk
Posted: Tue Dec  1 22:57:49 1987
Date-Received: Sun, 6-Dec-87 04:47:39 EST
Lines: 58

Your message demonstrates three things:

1. VMS $sndjbc system service must have a bug concerning concealed devices.
    I have seen it treat concealed devices correctly.  It would take some
    work on the system to determine exactly why yours isn't getting parsed
    correctly.
     
2. (Already known to me) a 28-byte structure is communicated by $sndjbc
    by which it can easily open the file without a file name.  This includes:
    (16 byte) device id, (6 byte) directory id (for removing directory entry
    on auto-delete, I guess), (6 byte) file ID.  This is used by DEC's
    symbionts, instead of file name, to open files.  THE ONLY SECURE WAY
    TO WRITE A SYMBIONT IS TO OPEN FILES BY FILE-ID.  The VMS utility routines
    manual incorrectly documents that the writer of the input routine may
    choose to open a file by either file-id or file name.  The writer may
    indeed choose to open by file name, but in so doing, he breaches the
    security of the system:

3.  The third conclusion is obvious:  CMU is using the file name to open
    the file, and hence breaches the security of your system:

If you don't believe me that your symbiont is insecure, find a directory
from which your symbiont correctly.  Create a command procedure which does
something like the following:

$ create x.x;1 sys$input
$ print/delete/q=/char=128 x.x;1
$ delete x.x;1
$ set file/enter=x.x;1 

Then run this from a totally non-privileged user's account.

Then from the same account, noting which job was queued by the procedure,
use
$ set que/entry=nnn/nochar 
to release the job.

I am just writing this off the top of my head.  If it doesn't work as given,
something similar will work and will print (or do whatever "CMU" does) AND
delete a file which the user shouldn't be able to touch.

The writer of a VMS symbiont, if he gets into torture, could theoretically
open the file by name and then check to make sure the ID fields in the NAM
block match those of the file just opened, but this is obtuse, and unnecessary,
and 10 to 1 the writer of your symbiont didn't--There is no reason to do
this.

In short, the writer of software which runs with system privilege (such
as your symbiont) should be responsible for privilege questions, although
DEC should have been more responsible for their documentation.  I've reported
the documentation problem to DEC (1-800-etc.) and they verified that it
is misdocumented, but I haven't seen new documentation fix it.  I would
talk gently to CMU (assuming the above test works) and suggest a change
in their input routine.

                                   Ray Whitmer
                                   AMMON: w