RCONN@Simtel20.ARPA (08/08/84)
From: Richard Conn <RCONN@Simtel20.ARPA> Yes, I concur that with programs like SWEEP, security is basically lost if you can get to them. ZCPR3 offers a distinct advantage in this arena in that for secure systems with the DU form disabled, then the DIR form has to be used. Each named directory has a password associated with it. So if the user types ROOT:SWEEP, then if ROOT has a non-blank password, the user is FORCED to provide a correct password before the system will log him in. If he does not provide the correct password, the ROOT: reference is changed (internally) to the current directory. The same is true for commands like TYPE DIR:PASSFILE.TXT, since even for references in the argument fields, the password protection holds under ZCPR3. "Dangerous" commands should be placed into a named directory which is not in the command search path. If you want even more security, have the login sequence DISABLE the reference in the named directory to this "secure" directory, so its NAME is not even available to the user. With DU disabled and no NAME, a directory CANNOT be referenced unless a tool like SWEEP which bypasses the protection system is used, and hopefully the path protection with the named directory reference will stop that. Rick
RCONN@Simtel20.ARPA (08/08/84)
From: Richard Conn <RCONN@Simtel20.ARPA> FYI - this is the message I responded to in my comments about security under ZCPR3. -- Rick Date: Wednesday, 8 August 1984 06:30-MDT From: Jim Forrest <JFORREST at SIMTEL20.ARPA> To: KPETERSEN at SIMTEL20.ARPA cc: JFORREST at SIMTEL20.ARPA Re: RBBS/ZCPR2 ReSent-From: KPETERSEN@SIMTEL20 ReSent-To: RCONN ReSent-Date: Wed 8 Aug 1984 07:14-MDT Keith Found a serious weakness in security With user areas restricted to 0-9, a user in 0: can type: 11:sweep2<ret> Then can use sweep to go to any user area as it over-rides bye limits I have tried protect and password (whatever correct names are) to no avail. Possibly I have bye set for cpm 2.2 and not zcpr2 or nzcpr2. I am using version of zcpr2 set up for security that eliminates some commands. I was not sure which to use in bye as I had some trouble when I set on zcpr2 or nzpr2. That may be due to difference in max user set with genins and max user set in bye. Jim
JFORREST@SIMTEL20.ARPA (08/10/84)
From: Jim Forrest <JFORREST@SIMTEL20.ARPA> I finally got the degree of security I needed by setting BYE NZCPR YES and USEZCPR NO. This unlikely mixture results in users being able to use 0: thru 5: to switch user areas, but having to use CD to connect to user areas 6 thru 9. With BYE set like this, 11:SWEEP results in a ?. No more. I suppose the reason it will not accept 6: thru 9: is due to something in the PUTSEC.HEX file so I will need to obtain PUTSEC.ASM and make a change, if I can find it. I got the HEX file from Steve Sanders, who now has PRO-COM RBBS/RCPM running extremely well on ZCPR3. Do you agree on my assumption about PUTSEC.HEX? Jim -------
RCONN@simtel20.ARPA (08/16/84)
From: Richard Conn <RCONN@simtel20.ARPA> I am really not familiar with the NZCPRs or the PUTSEC program you mention. Can't say anything about them. Rick