Doug writes:
> I don't think so. We've moved the operator functions to
> OPERATOR.ACCOUNTS and while we left OPERATOR.SYS, we "took the
> teeth out of it" by removing OP and other capabilities, so it
> can't do one bloody thing.
Keep in mind that it's still a user in the SYS account, so you want to make
sure that people can't log on to it. Being a user in an account (and
especially being able to log on into an arbitrary GROUP) will give even a
"no capability" user some power over files that exist there, and when it's a
privileged ACCOUNT, that's not a good thing.
You must prevent untrusted users from gaining the ability to create a file
in a group with PM capability, and you must stop them from gaining write
access to *any* executable file in any group with PM.
G.