lumsdon@dtoa1.dt.navy.mil (Lumsdon) (07/10/90)
Under VMS (version 5.2), what privileges does PING require? Tech Support at Wollongong told me it was cmkrnl, but, when ping image is installed with that privilege, this message appears when trying to use ping (from regular user account; works fine from system account): $ ping _node_ ping: socket: Permission denied I've played with it, and, will ping work when installed with only the sysprv privilege? Thanks for any help. -------------------------- Esther Lumsdon -------------------------------- lumsdon@dtoa1.dt.navy.mil lumsdon@dtrc.dt.navy.mil lumsdon%dtrc.navy.mil@uunet.uu.net "Wherever you go, there you are" -Buckaroo Bonzai
adelman@TGV.COM (Kenneth Adelman) (07/10/90)
> Under VMS (version 5.2), what privileges does PING require? > Tech Support at Wollongong told me it was cmkrnl, but, when ping image > is installed with that privilege, this message appears when trying to > use ping (from regular user account; works fine from system account): > $ ping _node_ > ping: socket: Permission denied > > I've played with it, and, will ping work when installed with only the > sysprv privilege? Both WINS/TCP and MultiNet use 'SYSPRV' as the equivalent of the UNIX 'root' user, so SYSPRV is required to create the raw socket required by PING. I'd be careful about installing arbitrary programs with SYSPRV, as you may breach system-security by allowing someone to use that program to overwrite system files. MultiNet's PING is installed with SYSPRV by default, and in order not to cause a security breach, PING disables it on startup and enables it only to create the socket. Kenneth Adelman TGV, Inc.
imp@dancer.Solbourne.COM (Warner Losh) (07/10/90)
In article <2509@nems.dt.navy.mil> lumsdon@dtoa1.dt.navy.mil (Esther Lumsdon) writes: >Under VMS (version 5.2), what privileges does PING require? It requires CMKRNL and SYSPRV on all version of VMS and all version of WIN/TCP for VMS through at least 5.1. >Tech Support at Wollongong told me it was cmkrnl, but, when ping image >is installed with that privilege, this message appears when trying to >use ping (from regular user account; works fine from system account): > $ ping _node_ > ping: socket: Permission denied > >I've played with it, and, will ping work when installed with only the >sysprv privilege? The problem is that Technical support gave you incomplete information. WIN/TCP PING requires that you have both CMKRNL and SYSPRV in order for certain calls that it makes to succeed. If you don't have both of these privs enabled, then you will get the error message that you see above. The good news is that as of release 5.1 you are supposed to be able to install ping with privs. Everything should work OK if you install the ping image with CMKRNL and SYSPRV. -- Warner Losh imp@Solbourne.COM Boycott Lotus. #include <std/disclaimer>
lumsdon@dtoa1.dt.navy.mil (Lumsdon) (07/10/90)
In article <1990Jul9.210637.4761@Solbourne.COM> imp@dancer.Solbourne.COM (Warner Losh) writes: >In article <2509@nems.dt.navy.mil> lumsdon@dtoa1.dt.navy.mil (Esther >Lumsdon) writes: >>Under VMS (version 5.2), what privileges does PING require? > >It requires CMKRNL and SYSPRV on all version of VMS and all version of >WIN/TCP for VMS through at least 5.1. > >The problem is that Technical support gave you incomplete information. >WIN/TCP PING requires that you have both CMKRNL and SYSPRV in order >for certain calls that it makes to succeed. If you don't have both of Actually, in playing with it before I posted, it worked from my account (not the system account) when I didn't install it, and gave myself only the SYSPRV privilege above normal privs (tmpmbx, etc.). The problem is that Wollongong Tech Support gave me just plain incorrect information. Is it safe to install PING with SYSPRV privilege? Will it compromise my system security? Does Wollongong's PING do anything other than sending ping at target? Is Wollongong's PING code written such that it uses SYSPRV carefully? I'll call Wollongong and ask these questions, and post answers to the net in a week or so. -------------------------- Esther Lumsdon -------------------------------- lumsdon@dtoa1.dt.navy.mil lumsdon@dtrc.dt.navy.mil lumsdon%dtrc.navy.mil@uunet.uu.net "Wherever you go, there you are" -Buckaroo Bonzai
lars@spectrum.CMC.COM (Lars Poulsen) (07/11/90)
In article <2521@nems.dt.navy.mil> lumsdon@dtoa1.dt.navy.mil (Esther Lumsdon) writes: > [PING requires SYSPRV] >Is it safe to install PING with SYSPRV privilege? >Will it compromise my system security? A matter of definition :-) :-) If you install PING with privilege, anybody can use PING. This is useful, but do you want them to ? (I.e. you may not want to pay for that essentially useless traffic). (But pings from OTHER sites are probably more disruptive than outgoing pings). >Does Wollongong's PING do anything other than sending ping at target? You mean, are there trojan horses in commercial code ? Of course you should be suspicious of anything for which you don't receive source code. If you are REALLY worried, you could write your own PING instead of using TWG's. >Is Wollongong's PING code written such that it uses SYSPRV carefully? Why would you be more suspicious of PING than of say the FTP daemon ? The reason PING requires privilege, is that it connects to a "raw" socket; i.e. it interfaces at a level of the network package where you can send *anything you like*. To prevent user programs from forging authentic looking datagrams that pretend to be from somewhere else, the network kernel has been made to insist that only privileged programs do these things. >I'll call Wollongong and ask these questions, and >post answers to the net in a week or so. > >-------------------------- Esther Lumsdon -------------------------------- >lumsdon@dtoa1.dt.navy.mil lumsdon@dtrc.dt.navy.mil >lumsdon%dtrc.navy.mil@uunet.uu.net >"Wherever you go, there you are" -Buckaroo Bonzai -- / Lars Poulsen, SMTS Software Engineer CMC Rockwell lars@CMC.COM
lumsdon@dtoa1.dt.navy.mil (Lumsdon) (07/17/90)
In article <1990Jul10.172440.15458@spectrum.CMC.COM> lars@spectrum.CMC.COM (Lars Poulsen) writes: >In article <2521@nems.dt.navy.mil> lumsdon@dtoa1.dt.navy.mil > (Esther Lumsdon) writes: >> [PING requires SYSPRV] >>Is it safe to install PING with SYSPRV privilege? [....] >The reason PING requires privilege, is that it connects to a "raw" >socket; i.e. it interfaces at a level of the network package where you >can send *anything you like*. To prevent user programs from forging >authentic looking datagrams that pretend to be from somewhere else, the >network kernel has been made to insist that only privileged programs do >these things. Thank you for pointing this out. Thanks for all responses. It has become a moot point. NCSA's tcp/ip for MS-DOS requires (inexplicably) that the VAX PING the PC in order to get communications to work after both machines have rebooted. We are now using FTP Software's tcp/ip for MS-DOS, which has not exhibited this strange behavior. -------------------------- Esther Lumsdon -------------------------------- lumsdon@dtoa1.dt.navy.mil lumsdon@dtrc.dt.navy.mil lumsdon%dtrc.navy.mil@uunet.uu.net "Wherever you go, there you are" -Buckaroo Bonzai