[comp.os.vms] Word-11 uses BYPASS/paranoid/security

smith%eri.DECnet@MGHCCC.HARVARD.EDU ("ERI::SMITH") (09/03/87)

We wanted to put security alarms on file access by means of the BYPASS
privilege.  When we tried, we were unpleasantly surprised to discover
that a commercial word-processing package, Word-11 by Data Processing 
Design, routinely makes use of BYPASS in normal operation.  This is
not mentioned in their system managers' guide, nor is it immediately
obvious (they tell you to run a .COM file that installs a number of
things with CMEXEC privilege, but BYPASS is not spelled out anywhere).

I'd like some reaction from netland about this.  We're not very concerned
with security, so our immediate response is not to monitor BYPASS, but I'd
like to know if I'm being fair in regarding this as shoddy practice on
DPD's part.  I complained about this about a year ago, in version 4.0.
Version 4.1, released a few months ago, still uses BYPASS.  As they did a
year ago, they vaguely suggest they might change this in the next
release.  Their explanation is that it shouldn't bother us because Word-11
only uses BYPASS for a short time.  Apparently it does this in order to
avoid a possible error message while attempting to gain access to a file
it needs, probably the database file in which it stores information about
users, print queues, etc. 

If I'm right in thinking this is a fairly bad thing for Word-11 to be doing, 
I want to let other Word-11 users know about it so we can inundate them 
with enough complaints to GET it fixed in the NEXT release.  On the
other hand, if the general opinion is that it's no big deal I'll shut up
about it.
--------------------------------------------------------------------
Daniel P. B. Smith         ARPA: smith%eri.decnet@mghccc.harvard.edu
Eye Research Institute     CompuServe: 74706,661
20 Staniford Street        Telephone (voice): 617 742-3140
Boston, MA 02114
--------------------------------------------------------------------
"We are in great haste to construct a magnetic telegraph from Maine to
Texas; but Maine and Texas, it may be, have nothing important to
communicate."--Thoreau
------

CP.PAVER@MCC.COM (Bob Paver) (09/04/87)

Give 'em hell!  No "commercial" software should run with BYPASS.
Certainly not without telling you.  There has to be at least a
few ways to avoid the need for BYPASS.


-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Bob Paver	(512) 338-3316
Microelectronics and Computer Technology Corp. (MCC)
3500 West Balcones Center Drive
Austin, TX  78759

ARPA:  paver@mcc.com
UUCP:  {ihnp4,seismo,harvard,gatech}!ut-sally!im4u!milanoarent885y bed w