dagg@CSA4.LBL.GOV (Darren Griffiths) (04/08/88)
DEC recently released a mandatory update to VMS that fixes some problems in SYS, TTDRIVER, WTDRIVER, UISBG and DBGSSISHR. Upon installing this update on a LAVc some problems were experienced, people running VAXstations that use the VAX Workstation Software may want to read this before installing the fixes on their systems. It seems that one of the fixes was to a known problem with the way device protections are assigned under VWS. When you create a new window the software creates a new device WTAx: that is basically a copy of the template workstation device WTA0:. The "problem" that was "fixed" is that some of the protection bits get changed when the new device is created, the fix stops this from happening. The problem does introduce a security hole so I am trying to avoid being to specific. So far all of this sounds quite nice, the problem is corrected and things should go on as normal. Unfortunately another problem is introduced. When you create your first window on the workstation LOGINOUT is running with a system UIC and the window is created by opening the template device WTA0 and having another device created for you, when you then decide that it would be exciting to have a second window and you try to auto-login, the process is created with your UIC and privileges. LOGINOUT opens up WTA0: expecting to get a device allocated to it, the device is created but cannot be allocated to you because the security patch fixed the protection bits very nicely and your process doesn't have privilege to look at the device. This problem can be avoided in four ways. 1) Don't install the patches at all. 2) The problem doesn't occur if your **DEFAULT** privileges include something like READALL, that way you will be able to get the DEVICE. Note that all you need is read access to be able to allocate a non-shareable device like a workstation window. 3) If you've already installed the patch and don't want to be give everyone privileges you can remove the patched version of SYS$SYSTEM:TTDRIVER.EXE, put the old one back and reboot. 4) You can uncomment the lines in SYS$MANAGER:UISBG.DAT that allow you to have another option in the workstation menu that will let you login without auto-login. This way you just have to type your username and password each time a window is created. I have contacted DEC about the problem and hope to have an answer very soon, I'll let the net know when this answer comes in. If anyone has any questions or further information let me know. --Darren Lawrence Berkeley Labs DAGG@LBL.GOV