Security issues

Michael Lee mcl_systems@bc.sympatico.ca
Wed, 14 Apr 1999 07:39:29 -0700 

There was a technique developed years ago whereby a UDC could be setup to
disable all the commands you don't want the user to use. One problem with this
is that it was difficult to get all the commands necessary.  Some are obvious
like 'run', 'purge', etc. but some are less so. Another problem was that the
command was disabled to QUIZ as well.

If I recall correctly though, there was a technique that one Cognoid came up
with that very neatly disabled the ':' command. I cannot remember what it was
but it did work very neatly and eliminated the need for figuring out which
commands to disable. Does that ring a bell with any ex-HP Cognoid? Bob? Kent?
Matt?

Michael Lee
MCL Systems Inc.


Steve Huckvale wrote:

> All,
>
> I have a security Issue with QUIZ and wonder if there's a simple solution
> any of you may be aware of.  We have a HP3000 running MPE/iX as an OS and
> ManMan as our primary application.  Through the use of auto-logon UDC's and
> ManMan security our user's have limited (if any) access to MPE commands.
>
> However, we have customised ManMan so that certain commands will
> interactively run QUIZ code or QUICK screens within the users session.
> Whilst QUIZ code is being processed from a user's session the user may at
> any point press <CTRL>Y, say NO to continue and be granted a QUIZ command
> prompt >.  From here the user can 'shell' out, for instance with :CI, and be
> granted use of MPE commands.
>
> There is a sketchy reference in the manuals I have to a 'noosaccess'
> program parameter which I can't seem to use, besides that doesn't seem to
> fit what I'm looking for.  Ideally I would like to allow the code itself
> access to the OS, but not a user.
>
> Obviously this a hole we would like to plug... any ideas?
>
> Steve Huckvale
> Analyst Programmer
> Cosworth Racing Limited
>
> The Octagon, St James Mill Road
> Northampton, NN5 5RA, England.
> Tel: (+44-1604-598490)
> Fax: (+44-1604-598506)
>
> = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
> Subscribe: "subscribe powerh-l" in message body to majordomo@lists.swau.edu
> Unsubscribe: "unsubscribe powerh-l" in message to majordomo@lists.swau.edu
> powerh-l@lists.swau.edu is gatewayed one-way to bit.listserv.powerh-l
> This list is closed, thus to post to the list, you must be a subscriber.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Subscribe: "subscribe powerh-l" in message body to majordomo@lists.swau.edu
Unsubscribe: "unsubscribe powerh-l" in message to majordomo@lists.swau.edu
powerh-l@lists.swau.edu is gatewayed one-way to bit.listserv.powerh-l
This list is closed, thus to post to the list, you must be a subscriber.