From: CSBVAX::CSBVAX::MRGATE::"SMTP::CRVAX.SRI.COM::RELAY-INFO-VAX" 28-NOV-1988 15:13 To: MRGATE::"ARISIA::EVERHART" Subj: Re: Who do you share YOUR accounts with? (and NEWS) Received: From KL.SRI.COM by CRVAX.SRI.COM with TCP; Mon, 28 NOV 88 06:08:19 PDT Received: from CUNYVM.CUNY.EDU by KL.SRI.COM with TCP; Mon, 28 Nov 88 05:54:54 PST Received: from ROUTER.KPO.FI by CUNYVM.CUNY.EDU (IBM VM SMTP R1.1) with BSMTP id 9754; Mon, 28 Nov 88 08:52:46 EDT Received: from ABOVAX.ABO.FI by ROUTER.KPO.FI; Mon, 28 Nov 88 15:42 O Date: Mon, 28 Nov 88 15:43 +0200 From: Leonard Norrgard Subject: Re: Who do you share YOUR accounts with? (and NEWS) To: info-vax@kl.sri.COM Path: abovax!vinsci From: vinsci@abo.fi (Leonard Norrgard) Newsgroups: comp.os.vms Subject: Re: Who do you share YOUR accounts with? (and NEWS) Message-ID: <101@abo.fi> Date: 28 Nov 88 15:41:26 GMT References: <8811220459.AA08090@ucbvax.Berkeley.EDU> <986@uwovax.uwo.ca> <2590@r ti.UUCP> <992@uwovax.uwo.ca> Organization: Abo Academy, Finland Lines: 49 In article <992@uwovax.uwo.ca>, 52032_2326@uwovax.uwo.ca (Mark Hartwell) writes: > [...many good things cut...] > [C] Ask users to log out when inactive. A "SHOW USERS" > can be used to give a list of valid accounts, or > syntaxt of accounts, and even process info: > (ie [TX_DBA] procname "Guru") > [....] If a potential cracker needs to see who's got an account on your VAX, he (hmmm - nobody seen any female crackers?) is probably harmless. My first real progam on the VAX, which was at the same time my first program in C, listed ALL usernames in the system, along with the rights identifiers these accounts had. At least our installation use these rights identifiers as a means to control access to certain parts of the system, such as PSI. The program called SYS$IDTOASC() & SYS$FINNISH_RDB() to find all names in sequence - if the name had another name associated with it, that name was listed too. The only thing I did was add some functionality to a complete example in the Systems Services manual, and translate it from the language used in the manual. Thanks to the high quality of VMS documentation this proved to be an easy task. :-) :-) Now, the amazing thing is that you needn't break ANYthing to get at this info. You only need a normal account without privileges. And according to the VMS documentation the protection of the system files was correct and error-free (I checked with our manager later on, when we had an actual breakin- case.) Thus, a cracker need only a way to transfer a VMS image to his account (if you have removed all compilers etc.). However, this info is useless, unless you know a password. Even if the cracker is clever enough to know about the SYSTEM account, it is unrealistic that he would ever get the password (or a synonym) through clever guessing. But that's all up to you. Sorry for the length. I'm testing the VMS NEWS system at the same time... Just got it installed. (If Geoff is still reading, could you put some more info in the installation part of the manual; Good candidates are examples on setting up the batch job to run newsskim.com (actually I use _alt), and the propagation ACL for the directory NEWS_ROOT. Currently I'm using the following: NEWS.DIR;1 1 (RWE,RWE,RE,RE) (DEFAULT_PROTECTION,SYSTEM:RWED,OWNER:RWED,GROUP:RE,WORLD:RE) ) > Mark Hartwell, P. Eng. > Systems Engineer -- Leonard Norrgaard, vinsci@finabo.bitnet, vinsci@abo.fi, +358-21-654474. %SYSTEM-E-QUOTA, quote quota exceeded