> THIS IS A MESSAGE IN 'MIME' FORMAT. Your mail reader may not support MIME.
> Some parts of this will be readable as plain text.
> To see the rest, you may need to upgrade your mail reader.
--_321bb867.3d3e.0_okaumail.att.net=_
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
There is a potential SNAFU with this approach (and, incidentally, it is
also
the reason OP capability should be watched "like a hawk" -- I'll explain
later...)
Here is an example of why this won't work:
/l all
1 !comment fool the system
2 !job tom,manager.sys,pub
3 !tell tom.emerson;hiya
4 !eoj
/k ajob
AJOB ALREADY EXISTS - RESPOND YES TO PURGE OLD AND KEEP NEW
PURGE OLD?y
/:stream ajob
#J300
** COMMAND WARNING 1404, 0
Lines preceding JOB/DATA were ignored. (CIWARN 1404)
/FROM/J300 MANAGER.SYS/hiya
/e
T:[TOM]/EMERSON/WORK>
[hmmm. now it would be beneficial if RTF text could be sent over the
internet *and* everyone could understand it -- if you could somehow
open the winmail.dat file that my e-mail client auto-attaches, you'd see
the above sample in RWIN's font!]
In any event, notice that I merely received a "warning" that the !comment
preceding the actual job card was "ignored". By the same token, a user
could create a jobstream that looks like this:
!job signon,as.me,here;outclass=whocares
!set stdlist=delete
!job signon,as.you,there
!run do.mean.things;info="as if I were you"
!set stdlist=delete
!eoj
In which case, there is an "implied" EOJ between the first SET
STDLIST=DELETE
and the second job card. Both of these are examples why checking
against
the original source of the jobstream could fail for cross-account
checking. [just thought of a third way to fool this -- save your
jobstream as
a TEMP file -- then there won't be ANYTHING to validate against...]
Overall, the best way to "prevent" this sort of activity is with the
third-party
security programs (either SAF/3000 or Security/3000 comes to mind, both
have flexible "rules" for what can and cannot be done); there may be some
options in HP's security monitor, but I haven't had an opportunity to
review
their product to make an accurate assesment.
----------
From: Paul H. Christidis[SMTP:internet!CCGATE.HAC.COM!phchristidis]
Sent: Wednesday, August 21, 1996 4:28 PM
To: Multiple recipients of list HP3000-L; TomE
Subject: Streaming jobs across accounts
A few days ago there was a thread asking whether there was a way to
prevent
stream files residing in account 'A' from login on and executing in
account
'B'.
In my reply I included a sample UDC command that would intercept the
'stream' command and perform the needed account validation by reading the
'job' card of the stream file, extracting the account name in the 'job'
card and comparing it to the 'logon' account name.
Tom Emerson
P.S. -- the security problem and OP cap: OP users can perform backups.
Backups can be specified using an indirect file. If there is an error in
the
backup command, STORE prints the offending line and an error message.
So... put all this together and if an OP user attempts to use a JOBSTREAM
(that, in theory, he couldn't READ in the first place) as an indirect
file, STORE
sees that the !JOB card is obviously "wrong" as an indirect fileset, so
STORE
will print the offending line and the ubiquitous caret pointing
(probably) to
the embedded password on line one...
--_321bb867.3d3e.0_okaumail.att.net=_
Content-Disposition: attachment; filename="WINMAIL.DAT"
Content-Type: application/vnd.ms-tnef
Content-Transfer-Encoding: base64
eJ8+IgEBAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5N
aWNyb3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEEgAEAIwAAAFJFOiBTdHJlYW1p
bmcgam9icyBhY3Jvc3MgYWNjb3VudHMAlAwBBYADAA4AAADMBwgAFQASACAAOgADAF8BASCA
AwAOAAAAzAcIABUAEgAIAAYAAwATAQEJgAEAIQAAAEJCN0U1OEVBOEJGQUNGMTFCRTY3MDAy
MEFGRTk2NEY1AH8HAQOQBgBICwAAEAAAAAsAIwAAAAAAAwAmAAAAAAALACkAAAAAAAMANgAA
AAAAQAA5AOCohtnJj7sBHgBwAAEAAAAjAAAAUkU6IFN0cmVhbWluZyBqb2JzIGFjcm9zcyBh
Y2NvdW50cwAAAgFxAAEAAAAWAAAAAbuPydlm6lh+vPqLEc++ZwAgr+lk9QAAAwAGELSz9JsD
AAcQnAkAAB4ACBABAAAAZQAAAFRIRVJFSVNBUE9URU5USUFMU05BRlVXSVRIVEhJU0FQUFJP
QUNIKEFORCxJTkNJREVOVEFMTFksSVRJU0FMU09USEVSRUFTT05PUENBUEFCSUxJVFlTSE9V
TERCRVdBVENIRUQAAAAAAgEJEAEAAAD1CQAA8QkAAFIRAABMWkZ1euD72/8ACgEPAhUCqAXr
AoMAUALyCQIAY2gKwHNldDI3BgAGwwKDMgPFAgBwckJxEeJzdGVtAoMzNwLkBxMCgzQERhMz
MSBscl8AcgKDNRLMFMV9FwqACM8J2TsZSTEyOD8KIxshAoAKgQ2xC2BuZ3gxMDMUUAsKFxIM
AWMhAEFiIFRoBJBlIMEEACBhIHBvE9ACMIMHMQYATkFGVSAD8Fh0aCAgQB7ScBNQb0sA0CBQ
KABwZCwewG6cY2kNsAIwB0BseSGR4wVAHtJsc28KhSBAHrANGVBhIxADoE9QIGMPIMABoAMQ
IDB5IHNoIQhgbGQgYh6wd2GmdBFwCYAgIiTgax6wAx8AEYB3ayIgLS2IIEknIkAgZXgLU6cK
hQtgE9ByLijgKQqFnQqFSB6WA6AnsGFtC1BpHrBvZiAQaCUQIHN3jQIgJwVAK/ByazopLOcK
+xVhC/EgLwMgIjEtFdcvghZAL4IhBaBtB4ACMO4gAhAG8COTcxOzLykR4Kkv82pvHlB0A3As
A4EMYWcowTFRLHB1Yr0vKTMv5BPQJ4EzES4T4EsEkCQROyCAeWEvKTSRL+Rlb2otFS9rHvBD
MtEtFUFKT0IUsEwAUkVBRFkgRVg4SVNUBfAnQDnAU1BgT05EIFk6wB5gT0AgUFVSR0UkQExF
OxBBOwFLRUUkYE5MRVctFTunP3k4BjoLE8Aj4W04miAjSjMOMC6gL4EtFSoqIEMIT01NPEJX
QVJOiElORy/ANDA0IZD6IAp2TAuAB5ETUAWQCYAJC4BnIDlhL0RBVGZBIBAek2duBbAJgC45
IUBDSUGSQgMpFi9GWlJBIC8/80FBQTvQUiAuU1lTLzZ5L2URLRVUOls7cE1dLxRFTUewUzrw
L1dPOFJLPi0fHX5KtVtovzBgNdAK4UufDDAlYCBFAP53Ta8eMiKCK/AlZSWgQyA8Zmkh0B+R
BpAH8FRGfyBgJ7AFQAWgJWURsDCRb/52BJAjk0q1C4AosUMgBUDWKiFhQPBlU9F5AiAesP1S
5HUhcDYRAZAhcCKCJzF7UiFV8HVS1SMQB4AlQHe5SrVvcAnwI5MD8G4AwPkDEC5kJeAwsAMQ
HrAgQOVagW0lEGUtWiIkcCTg6TCCYXUzEC0l4AGQJgH7M/BX0idYYQngIzkBoFPBryUgKtQL
gAfwV0HQJwQg6QISIV0pLEkDoABwW2F/U9ACMCGQRQAfcEOQWvRJ31tAHpEiUCPRQ5BpU9Al
gP0fACIl0ASgQ8EnEFsDI6KPMDZKtUNoXlNjdHUfkV8y0iSACyAlwQQgIkTlIrlFUCBCK4Je
01rhbyaA1m4hkB8AdRGwckq1UuT/BQAj8BPQHvEy0T61WwMY4P9p8AQgJmMgciydMngAkETx
q2ogJAAuB4AsHoI7CGDXJfALYAQQPStgb2fRB5BnbnsRsSUgdGQk4BPAPb8NsCsAE9Buf2+I
V+EsI6GLGVBzq3JWoCBkb3ARzQBwLiBxHHBzOwuAAhB8PSJoMVIhYuBEk1fhIv9xv3LPc9g3
2GDYK2BRwCBQ/ySAEbAhkHWTKkVoYCrhCJDTaNA6EE9KJZF0RJBZhSdRsFbhBgBFVAYAVERC
TDpBPURFTIDgRf9KtVcSMRMFkVchZ5Zo8h8w/yBQKzEjoRGwHvAeoSq1K9HnK3EkcB6AY2tD
wjOAC3H/E8AvJiOiBbBE4AuAH5EjEN8IcGJhhFRsCVLkZluyAhDvawEDYAQQXKBjUuFlt4YG
OWjxW2pqcGTyCGBnaL9ToStAHwAgcWfzK4FvMLb/HtEnMV7wXsFX4QXAbBhoMf+B9h5gSeAk
YFqzJzEjoVmTjx6hK/QloTxAWVRIQdL9joF2B0Ah4GuzhqQo4WBdfk9T0SIxffMlkYChjkUi
/0NhYcJkoh7RIxAAII2DZzC/Y7Ak8ivCIDRtkwsgLUrh/yUASrWC4QhxJQEg4QnAKtC9BCAo
Y6B1kgYAH+AvQAH/LqAFsQZgnASdtDBBB5GOgf5tC4AhgQbgIEBKtRGAXsHbHEAnsGkCYB6w
InawhXH/JxCKgitgWoEkgGFSa2EAcM9iISWSdvBDICk7fgUAwP8lEFNCWJFY9x9wAiB4UQOg
fEhQX9Gb5wRgAwAzEHL/n/FccGLRoMIsEhGAY+EDoP9ZYB8gACBWoCTyjoGYIQiQz1jmI6GA
gJxiZHVnMJ9z/mEmgmFRizAIcGuzBBAHkD0wci5KtgGRLQwk4DE480AQAgBpLUIQQiAMwa/j
+QtZMTZK0ANgE9CroScwX7IGSrewuwwwsYZGA2E6t7MOsYauI1BcYAMgSEVQPENoBRATwCHg
BABbUxBNVFA6VMYhQ0MCR0RQRS5IQUMu8UERIXBoEXC3ZmBWsx/fsYYGYAIwtO+1+1cJgEMh
m1pwImFBjUCM0jIxIZDQMTk5NjdQOhswO5BmTbqfs71Ub7zftftN/yVgH3Aq8kNxBSBcEgQg
KzFnepKmYZ3CLUykIMLQbe+B5sFPvBc0IGqxwcL/tfv+Uz7DQ8JsEmcRitKscotS83Gmrn0z
NrCHFFEL8rGG3URwZgfRvxEe4WeOkJKl72gxjcIj4WPhc4ZDK2ARwP+dQtGajkWYFZt2PsRa
sgQgH3GBt6FD0V9hiyUgJ0H+JzCwA2Fs8YfxKyCi1Cewj5vxH3DW+0q1J0Inrab/YNhbURlQ
C1AlEGLgIbEKQMcNsGPiXvVVREOfEgOB/4KCWoFQ5FTDQ5AFMSOh2nbfPrTX8N5GVxJZcHKK
gWyS/x6wQyAJgGPS12WUVaXxJZD/Y1Ko0Gal2nYy0eEhZ+KIxf/VySGQUqGWoJmBZrfXdDNw
/2mxX2EjouWzzh/PL7GVZ9P/ovMDcErh1uOrs+mT2GEsAf3oiy5PXCmGSr/wKMcxOhC/NgTq
L7CH8Fzxry6RUEfQ/0VQkiSb26FhPwBPXx4yVxJ/JFTJ4CRRanIEIKKy4gZisQDQa3VwcAD1
pUL8lP+io1NCWXAh0FGwJiFqcIZTvwOgn8GAgLHCWrJo8UmEY/0qKHIDYFSi4An8hN42IZD/
OlBKcDvgE1BUwZ9hh5IN0P8J8EOzJOBWEeGEAXWfQV7w+zOQraZTdwAo4B8Qp/EiMf8gZDMQ
M5CdM1cTjaEkM2py/x7wDvAT4N/gn2NqcR7xOWH3OlA5wcDGKFsCIZIjkp4Q/yJhI7FS4ywS
OcLpVoB061H9Q5ApkLL/bgOVm3efUmTXvzliZ9Me0TLgmbBwoHNjQf9kIAGgZIIP74VxexAh
kCMQ/wOl9aWaMCeBBBMEfwWFI6LxNCBpcXWngWpwZ8JVIfcfIFTBQ8Io+KIksBQQD8DvjoEj
OTXwJaBk3TL10Mzw/yxR5kHZ4AVjVgEHkvDP9D8V8Gt99aAAIhAAAAADABAQAAAAAAMAERAD
AAAAQAAHMCDShWDGj7sBQAAIMCDShWDGj7sBHgA9AAEAAAAFAAAAUkU6IAAAAAA8Ig==
--_321bb867.3d3e.0_okaumail.att.net=_--
|
