AWalker@RED.RUTGERS.EDU.UUCP (06/09/87)
First: Deepest thanks to those brave souls who hauled off and posted the patch. I am willing to bet a *lot* of the readership will take and use it if they haven't received/never will receive it from DEC, and be done with it. Second: In my opinion, which you may choose to ignore or not, having a *system service* to muck with the UAF is stupid. I can only see two reasons for having it: 1> So that you can have "group managers" who can bash their underlings' accounts, and/or 2> so you can "always" have UAF modifications be accompanied with a security alarm if appropriate. This latter one can still be worked around by a user with the appropriate privileges just opening, $getting, and $updating records in the file -- relying on this system service to catch *all* UAF modifications by people with sysprv or bypass is *cretinous* because you can get around it any number of ways. Third: After having a *lot* of fun taking said patch and romping through the fische with a very limited knowledge of Bliss, I do indeed have a fairly clear idea of what's going on although my theory may still be incorrect. However, the actual fix is still just a "bigger hammer" that completely disables a bunch of code -- if this code was ever intended as a feature, you'll never be able to use that now. Fourth: What I said about the high school kids was probably incorrect. This one is far too subtle for a "beginner" to deal with, unless I'm way out in left field here. [I don't know yet because I haven't actually gotten it to "work" for me yet.] Fifth: Given the above, I think it would be quite safe for the people concerned and interested to discuss it openly via info-vax, drawing the line at things like posting actual working *programs* that make use of it. From what I can tell a lot of crackers are the "type make and walk away" sort of people who are more willing to do something quick, known, and destructive rather than learn something fairly elegant about the internals of a given OS. In effect, I'm saying that the folks who understand why a bug like this one works are more likely to already be managing a machine somewhere, not cruising around looking for things to break in to. Paranoia is fine, as long as it derives from a realistic threat. Perhaps we should splinter off a vms-security list, similar to the unix security one whereon things like this are discussed openly and fixes freely distributed. _H* -------