info-vax@ucbvax.ARPA (06/07/85)
From: "Brand Hal"@LLL-MFE.ARPA We recently got a software package that attempts to ALLOCATE a terminal line to do some special I/O. The ALLOCATE always failed because the SYSTARTUP.COM file had set all the terminal lines SET PROT=(S:R,O,G,W)/DEVICE/OWNER=[1,4] T???: Thus, it was not surprise that when attempting to ALLOCATE some other terminal, the code failed. However, what was a surprise was that you can't even ALLOCATE your own terminal! Try it! Make sure the terminal is set as shown above, log into an account without SYSPRV, and try ALLOCATE TT: or even ALLOCATE SYS$OUTPUT, etc. Using SHOW DEV T???/FULL you will see that your process "owns" the terminal, by the owner_uic is still [1,4]. Now, DEC recommends setting the terminal in the manner shown above to stop "password pirates" (Vol. 2, page DCL-620). We can't modify the software package cause we didn't get sources. So... anyone got any ideas? I can't find a way to maintain security and allow this software to run even when it is using the user's terminal for the special I/O. Hal Brand BRAND#HAL@LLL-MFE
info-vax@ucbvax.ARPA (06/07/85)
From: Richard Garland <OC.GARLAND@CU20B.ARPA> Allocating terminals: We have several lines that have special devices on them, i.e. an Evans and Sutherland PS300. These are not (usually) used for logins so I set them either SET DEV/PROT=(S:RWLP,O:RWLP,G:RWLP,W)/OWN=(xxx,0) ttxy: or .......... W:RWLP) .... The former for lines belong to a certain group and excluding the world, the later for line available to the world. Typically a user logs onto another terminal and these become output devices. Another approach my be to give the third party software some privilege to allocate the line (i.e. INSTALL it). This would require that you trust the software to not anything wierd with enhanced privilege. Rg -------
info-vax@ucbvax.ARPA (06/07/85)
From: Richard Garland <OC.GARLAND@CU20B.ARPA> Followup on allocating your own terminal: I tried after reading your message to do an ALLOCATE TT: from a non-privileged account and found it WORKS FOR DISCONNECTABLE TERMINALS. I.e. if the line is set /DISCONNECT and you do an ALLOCATE TT: it says fine "VTA123 allocated". This is great since the VTA only exists while you are using it and you don't have a security problem. Trying to allocate the physical terminal fails as you said but that doesn't matter. Solution: Set your lines /DISCONNECT (Note: this is done in SYSTARTUP.COM. First do $ Run Sys$System:Sysgen Connect VTA0: /Driver=TTDriver /NoAdapter Exit then do $ Set Term T???/Perm/Disconnect/.... for each line.) Rg -------