HP3000-L Archives

January 1998, Week 3

HP3000-L@RAVEN.UTC.EDU

Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
"Michael P. Smith" <[log in to unmask]>
Reply To:
Michael P. Smith
Date:
Thu, 15 Jan 1998 23:03:24 -0600
Content-Type:
text/plain
Parts/Attachments:
text/plain (65 lines)
Art Bahrs wrote in message ...
>Hi Michael,
>   um... it may be straight forward ... but if the program is crashed
inbetween
>the two calls... the user would be left with 'SM' capability...  and a
malicious
>user looks for this kind of thing when looking to break the system....
>
>Art "Not that I have ever done that... hehehe <EG> " Bahrs
>

I think you are incorrect in this, but I have been wrong in the past :)

In my message I stated that I would be giving SM to the program and not to
the user or to the CI.  Let me try to explain my thinking, and then you can
shoot it down at your leisure.

When a user signs on to the system a CI process is created for him.  The CI
is given the same capabilities that the user has in the accounting
structure.  The user then runs my program A.B.C and it is given the same
capabilities mask as the CI (this is why when you run something like
GOD.PUB.VESOFT subsequent programs behave as if the user has SM but doing a
LISTUSER on the user shows the user does not have SM).  As the program
continues the code calls AIFPROCPUT and gives the process A.B.C SM
capability.  The program then opens a file (that it initially couldn't) and
then calls AIFPROCPUT to remove SM from process A.B.C.  If the user manages
to kill the program at exactly the right time (ie between the AIFPROCPUT
granting SM and the AIFPROCPUT removing SM) this would have no bearing on
the CI.

If my thinking is right, no matter how A.B.C is aborted, the temporary SM
capability would be lost and there would be no security breach.  Also, the
reason that I keep giving SM and taking SM away from A.B.C is to make the
example simpler.  In reality I would probably give SM to the process and
only take it away if I allowed the user to execute CI commands from within
the program (in which case if I left SM on the process the user would have a
means of exploiting the SM capability).


---------------------------------------------------
Michael P. Smith
Hertz Corporation
Sr. Systems Programmer

>>>> "Michael P. Smith" <[log in to unmask]> 01/15/98 03:23am >>>
>Without going into too many details, I have a need to write a program that
>opens files that the user running the program normally doesn't have access
>to.  The only way that I know of to do this is to call AIFPROCPUT and give
>the user SM capability, then open the file, and finally another call to
>AIFPROCPUT to remove SM capability.  This is a rather straight forward way
>of working around the problem, but I dislike temporarily giving the user SM
>capability (although it would only be given to the actual program process
>and not the CI process).
>
>Does anyone know of a better way of opening a file when you don't normally
>have access to it?  Perhaps via an undocumented/poorly documented HPFOPEN
>parm?  How about it Stan? :)
>
>TIA
>
>---------------------------------------------------
>Michael P. Smith
>Hertz Corporation
>Sr. Systems Programmer

ATOM RSS1 RSS2