Ron writes:
> I think that we are treading on shakky ground here.  What if a
> "knowledgeable" user, or a cracker, tries this command?  What
> safeguards would be in place to ensure that a system is not
> shutdown by accident?

In order to shut the system down "accidentally" using my proposed definition
of the SHUTDOWN command, one must:

1) Have OP capability.

2) Be logged on to the logical :CONSOLE device (or be ALLOWed the command).

3) Explicitly type "SHUTDOWN SYSTEM".

By the time you have #1 and #2, the system is completely under your control
as far as starting and stopping things goes.  To get the console requires SM
capability or ALLOW or a privileged program.  At the physical console one
can type <CTRL>A followed by SHUTDOWN and get the same effect.

Not even an SM user can execute a "master operator" command without having
it explicitly allowed or moving the :CONSOLE.

Today any user who could execute the new "SHUTDOWN SYSTEM" command can abort
any/every user on the system, and make the system unusable in dozens of
ways.

I see no reason to prevent the command's use by operations staff (by
requiring SM) or to allow it to be executed on any terminal at any time (by
*only* requiring SM and not making it a "master operator" command).

Keep in mind that a halfway-clever person with just OP capability has all
the capabilities of an SM user the same way that a user with just PM
capability had access to all the capabilities of an SM user.  All three
capabilities (OP/SM/PM) logically grant total control of the system, just
from different points of view.  SM grants it directly and explicitly, but OP
and PM do it implicitly as well.

Don't give OP capability to an untrusted user.

G.

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *