Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!husc6!hao!ames!rutgers!rochester!cornell!batcomputer!tedcrane From: tedcrane@batcomputer.tn.cornell.edu (Ted Crane) Newsgroups: comp.os.vms Subject: Re: DCL DECnet command procedure Message-ID: <3018@batcomputer.tn.cornell.edu> Date: Thu, 26-Nov-87 15:13:14 EST Article-I.D.: batcompu.3018 Posted: Thu Nov 26 15:13:14 1987 Date-Received: Sun, 29-Nov-87 16:49:32 EST References: <28rrk@byuvax.bitnet> Reply-To: tedcrane@tcgould.tn.cornell.edu (Ted Crane) Organization: Tompkins County Computing, Ithaca, NY Lines: 50 In article <28rrk@byuvax.bitnet> rrk@byuvax.bitnet writes: >If you set your print devices spooled, anyone on or off the system can print >for free by copying to node::device:. Only if there is a default DECnet account, proxy logins, or they supply an explicit username/pswd string. Once again, the default DECnet account is the security hole...if a system manager provides it, they are inviting others to use it! >I know of NO reason for ever making a device spooled, but most system managers >do it anyway. Well, in most if not all of the examples they provide, DEC suggests that this be done. I agree with you--there isn't a whole lot of excuse to spool a device (see caveat below), but you've got to argue with Dr.DEC as well as the misguided system managers. Caveat: some applications have a bad habit of printing by opening a file directly to the line printer device (or equivalent). This is not a great idea, really, but is usually the result of ported, updated, or just plain resurrected old code. Sure, someone should rewrite the old code, but who? Until then, spooled devices *sure are handy*! >Another good idea is probably to enter a proxy for node::* to * so that >all local users cannot access the local system via the DECNet account. >(It is a very BAD idea to do such a wildcard proxy between two systems not >managed by the same person, as it allows "superusers" of one system to exploit >the other system by changing username). Sure, I agree. But there are problems. First, you should avoid (like the plague) setting proxys to privileged accounts. Do this by adding explicit proxys to the list in addition to the one wildcard entry. Second, this scheme requires that usernames be the same on all machines. Not impossible, but not real likely, either. Clusters with a common SYSUAF help a lot here. Third, *almost any* privileged user on any node can fake this system out. Once again, we are relying on trustworthy users. >I would disallow all access for the DECNET username except for mail (possibly). >Why allow remote users to see all your directorys, to execute com procedures, >print files, see who's on the system, etc. If a manager doesn't worry about >his network--I won't go so far as to say that he deserves to have his security >compromised; noone deserves that--he can expect to have his security >compromised. The default DECnet account is a useful tool. Yes, it opens up a real can of worms. This may be more than a security minded manaager can accept. But the functionality you lose by removing it is significant. The manager should provide replacement tools. Has anyone considered something like this in the SYS$SYLOGIN procedure: $ if.eqs. - then set command/delete= Not totally effective, yet worth a try.