[comp.os.vms] DEC's security patch. Just say no!

dagg@CSA4.LBL.GOV (Darren Griffiths) (04/08/88)

DEC recently released a mandatory update to VMS that fixes some problems in
SYS, TTDRIVER, WTDRIVER, UISBG and DBGSSISHR.  Upon installing this update on a
LAVc some problems were experienced, people running VAXstations that use the
VAX Workstation Software may want to read this before installing the fixes on
their systems. 

It seems that one of the fixes was to a known problem with the way device
protections are assigned under VWS.  When you create a new window the software
creates a new device WTAx: that is basically a copy of the template workstation
device WTA0:.  The "problem" that was "fixed" is that some of the protection
bits get changed when the new device is created, the fix stops this from
happening.  The problem does introduce a security hole so I am trying to avoid
being to specific. 

So far all of this sounds quite nice, the problem is corrected and things
should go on as normal.  Unfortunately another problem is introduced.  When you
create your first window on the workstation LOGINOUT is running with a system
UIC and the window is created by opening the template device WTA0 and having
another device created for you, when you then decide that it would be exciting
to have a second window and you try to auto-login, the process is created with
your UIC and privileges.  LOGINOUT opens up WTA0: expecting to get a device
allocated to it, the device is created but cannot be allocated to you because
the security patch fixed the protection bits very nicely and your process
doesn't have privilege to look at the device. 


This problem can be avoided in four ways.  
                                                                

   1)   Don't install the patches at all.

   2)   The problem doesn't occur if your **DEFAULT** privileges include
        something like READALL, that way you will be able to get the DEVICE.
        Note that all you need is read access to be able to allocate a
        non-shareable device like a workstation window.

   3)   If you've already installed the patch and don't want to be give
        everyone privileges you can remove the patched version of
        SYS$SYSTEM:TTDRIVER.EXE, put the old one back and reboot.

   4)   You can uncomment the lines in SYS$MANAGER:UISBG.DAT that allow
        you to have another option in the workstation menu that will let
        you login without auto-login.  This way you just have to type 
        your username and password each time a window is created.


I have contacted DEC about the problem and hope to have an answer very soon,
I'll let the net know when this answer comes in.  If anyone has any questions
or further information let me know.


   --Darren
 
   Lawrence Berkeley Labs
   DAGG@LBL.GOV