JFORREST@SIMTEL20.ARPA (07/18/84)
From: Jim Forrest <JFORREST@SIMTEL20.ARPA> When running BYE (MBYE-33) and RBBS35, how can you protect the file with user passwords. Running ZCPR2 in secure mode but users can still access password file. Any help appreciated. Jim -------
RCONN@Simtel20.ARPA (07/19/84)
From: Richard Conn <RCONN@Simtel20.ARPA> Not meaning to sound like a broken record (squeek, squeek), but ... ZCPR3 solves that problem cleanly. A system can be made secure under ZCPR3 by disabling the DU form and enabling only the DIR form. Passwords are then assigned to each key directory, and all commands along the path are either "safe" or wheel-byte protected (PATH itself will only run if the wheel byte is set). Then, a user cannot: (1) see a protected disk dir or (2) TYPE a file, PRINT a file, or do anything with any file in a protected disk dir without giving the password for that dir! See the section on secure systems in the User's Perspective. I am excited about this concept and am fairly sure it can't be broken without internal knowledge of the target system. If anyone can find a way to break this, let me know. In the way of example, note that the DU form is disabled. This means that you cannot issue the command TYPE A7: or anything like that. You MUST use the DIR: form, so if you say TYPE SYSROOT:, ZCPR3 will see the PW entry for SYSROOT and prompt the user for a PW. If no match, SYSROOT is expanded as his current dir instead, and the command runs there! Hope this helps. Rick
W8SDZ@Simtel20.ARPA@sri-unix.UUCP (07/19/84)
From: Keith Petersen <W8SDZ@Simtel20.ARPA> Look at SECURTY2.ASM in MICRO:<CPM.RCPM>. This is assembled and renamed to RBBS.COM and placed in user zero. The "real" RBBS and all its files are placed in a user area that is inaccessable to callers. SECURTY2 is a small loader program which switches user numbers and then loads RBBS and jumps to it. When the user exits RBBS they return to the original drive/user because the user number change was only temporary. --Keith
ABN.ISCAMS@USC-ISID.ARPA (07/25/84)
Jim I expect some experienced RBBS/BYE Sysops to answer you with more sophisticated responses, but a PD program I was just looking at kind of tickled my fancy. You say your users can access the password file, so no luck with passwords. Well, a little utility program called MAKEFCB (think I got it from SIMTEL20, maybe the SIG/M archives) changes the file name on disk and directory from upper case to lower case. CANNOT be listed, typed, transferred, erased -- NUTTIN! But it CAN be called from within other programs! So BYE or whatever could reach it and use it, but those curious ones cannot! Just a suggestion that might be fruitful. (An unusual potential fix anyway!) Regards, David Kirschbaum Toad Hall ABN.ISCAMS@USC-ISID