From: SMTP%"RELAY-INFO-VAX@CRVAX.SRI.COM" 25-AUG-1993 08:40:43.99 To: EVERHART CC: Subj: Re: [Open]VMS System Modes X-Newsgroups: comp.os.vms Subject: Re: [Open]VMS System Modes Message-Id: <1993Aug19.073743.31@macro.demon.co.uk> From: neill@macro.demon.co.uk (Neill Clift) Date: 19 Aug 93 07:37:43 +0000 Organization: None Lines: 53 To: Info-VAX@kl.sri.com X-Gateway-Source-Info: USENET In article <9308180343.AA00298@uu3.psi.com>, Jerry Leichter writes: [lots of interesting stuff deleted] > In this model, the "security firewall" occurs between supervisor and executive > modes. To some degree, VMS follows this model: While there are things you > can't do in executive mode, they are restricted as a matter of convention and > safety, NOT security: Executive mode code can easily get into kernel mode. > This is NOT true of supervisor mode code. Had this model been carried through > properly, private command interpreters would have posed no problem. > > Unfortunately, the VMS designers botched the interaction of processor modes > and process privileges. If Joe User could write his own supervisor code, he > could queue a supervisor-mode AST, for example, then run an image with > amplified privileges. The AST goes off, grabbing control of the process > away from the image - and bam, it's got the privileges that came with the > image. So, unfortunately, access to supervisor mode has to be restricted as You dont have to go this far to get privileged. After calling sys$imgact to activate a privileged image supervisor mode will have those privileges without ever having to call sys$imgfix and later transfering control to the activated image. > well. (Since it was restricted anyway, a couple of things were done in DCL > by just going into an inner mode, rather than providing a clean, secure > interface. But it COULD have been done right.) Done right is made a little more complicated by the fact that its supervisor mode that does the following: Turns off image privileges when you hit ^Y Printing out the ^T message Killing the process on terminal hangup Finally removes enhanced privileges by running down the image when another is executed. Performs services for privileged image (CLI routines etc) Any of these can get control during a privileged images execution. Looks like its very difficult to do right to me. Neill. > > So: Nice idea that didn't QUITE get handled correctly. > > -- Jerry > -- Neill Clift neill@macro.demon.co.uk