From:	CSBVAX::CSBVAX::MRGATE::"SMTP::CRVAX.SRI.COM::RELAY-INFO-VAX" 24-DEC-1988 18:05
To:	MRGATE::"ARISIA::EVERHART"
Subj:	Re: Locking a terminal


Received: From KL.SRI.COM by CRVAX.SRI.COM with TCP; Fri, 23 DEC 88 13:28:02 PDT
Received: from ucbvax.Berkeley.EDU by KL.SRI.COM with TCP; Fri, 23 Dec 88 12:55:42 PST
Received: by ucbvax.Berkeley.EDU (5.61/1.33)
	id AA29675; Fri, 23 Dec 88 12:44:55 PST
Received: from USENET by ucbvax.Berkeley.EDU with netnews
	for info-vax@kl.sri.com (info-vax@kl.sri.com)
	(contact usenet@ucbvax.Berkeley.EDU if you have questions)
Date: 22 Dec 88 22:53:53 GMT
From: munnari!mimir!hugin!augean!sirius!simon@uunet.uu.net  (Simon Hackett)
Organization: University Computing Services, University of Adelaide
Subject: Re: Locking a terminal
Message-Id: <197@sirius.ua.oz>
References: <816@auvax.UUCP>
Sender: info-vax-request@kl.sri.com
To: info-vax@kl.sri.com

From article <816@auvax.UUCP>, by terryt@auvax.UUCP (Terry Tanski):
> $ SET NOVERIFY
> $ SET NOCONTROL=(Y,T)
> $ SET TERM/NOECHO
> $RETRY:
> $ INQUIRE PASS_WORD "Password "
> $ IF PASS_WORD .NES. "{put your password here}" THEN GOTO RETRY
> $ SET TERM/ECHO
> $ SET CONTROL=(Y,T)
> $ EXIT

        Sorry bub. Very very insecure indeed. Unless you are really careful,
there are all sorts of ways to get out of DCL command procedures.
INQUIRE is notorious as the least secure way to read input from a terminal,
READ SYS$INPUT PASS_WORD/PROMPT="Password " is a hell of a lot better.

        If you want to break out of the above, try (for instance)

        'F$PID(GOTO)

        as input to the "Password " prompt. Alternatively,

        'F$VERIFY(1)

        is also effective, although you have to go around the loop once more
to see the text of the guy's password.

        The point is that INQUIRE actually does DCL parsing on its input,
including _executing_ lexicals or symbols after single quote marks.

                                        Simon Hackett

P.S. How sure are you that YOUR "secure" DCL command procedures really are?
     Have you got someone competent to push them a bit?

P.P.S. My favourite above is 'f$pid(goto) - if you don't see why this one
works, try

        HELP LEXICAL F$PID

if you still don't get it, try

        'F$PID(HELP)

then try the help command again (!)

---
Simon Hackett                           Phone : +61 8 228 5333
University Computing Services           Telex : UNIVAD AA89141
University of Adelaide                  Fax   : +61 8 224 0464
GPO Box 498 Adelaide SA 5001            ACSnet: simon@sirius.ua.oz
AUSTRALIA                               VMS   : IN%"simon@sirius.ua.oz"