jwp@utah-cs.UUCP (John W Peterson) (10/19/84)
In bringing up the rcp and rsh protocols to talk to our Vaxen, I ran into a nasty security snafu in the apollo MBX system. Here's the problem: to prevent random people from writing a few pages of code enabling them to break into various vax accounts, we thought we could use Apollo's "protected subsystems" to restrict those programs having access to the TCP gateway. Programs like rcp and rsh would be "tcp_gateway" managers, and the main TCP mailbox (/sys/tcp/data) would be made a "tcp_gateway" data object. Thus only programs specificly enabled (i.e., tcp_gateway managers) could access net - a nice, clean solution. Unfortunatly there's something in the way - the mbx_helper process. If mbx_helper isn't also a tcp_gateway manager, the other manager programs (rcp, rsh, telnet, etc) blow up (with a rather cryptic message, I might add). And if it IS made a tcp_manager, then any other program has access to TCP, whether it's been made a manager or not. I can see a few ways out, such as hacking up the tcp_gateway to implement privileged ports, but none of them are very clean. We finally resorted to restricting access to the tcp libraries, so people could not build code w/o specific access. Does anybody know if mbx_helper can be made a little smarter about mailbox protections?