HP3000-L Archives

January 1998, Week 3

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Can a PM program open file it lacks normal access to? -Reply
From:
John Zoltak <[log in to unmask]>
Reply To:
John Zoltak <[log in to unmask]>
Date:
Thu, 15 Jan 1998 15:33:05 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (78 lines) 
Michael,
        I think you are right on this also. The only way Art's scenario
would happen is if you gave the capability with AIFJSPUT and not
AIFPROCPUT.
John Zoltak
North American Mfg Co

> -----Original Message-----
> From: Michael P. Smith [SMTP:[log in to unmask]]
> Sent: Friday, January 16, 1998 12:03 AM
> To:   [log in to unmask]
> Subject:      Re: [HP3000-L] Can a PM program open file it lacks
> normal access to? -Reply
>
> Art Bahrs wrote in message ...
> >Hi Michael,
> >   um... it may be straight forward ... but if the program is crashed
> inbetween
> >the two calls... the user would be left with 'SM' capability...  and
> a
> malicious
> >user looks for this kind of thing when looking to break the
> system....
> >
> >Art "Not that I have ever done that... hehehe <EG> " Bahrs
> >
>
> I think you are incorrect in this, but I have been wrong in the past
> :)
>
> In my message I stated that I would be giving SM to the program and
> not to
> the user or to the CI.  Let me try to explain my thinking, and then
> you can
> shoot it down at your leisure.
>
> When a user signs on to the system a CI process is created for him.
> The CI
> is given the same capabilities that the user has in the accounting
> structure.  The user then runs my program A.B.C and it is given the
> same
> capabilities mask as the CI (this is why when you run something like
> GOD.PUB.VESOFT subsequent programs behave as if the user has SM but
> doing a
> LISTUSER on the user shows the user does not have SM).  As the program
> continues the code calls AIFPROCPUT and gives the process A.B.C SM
> capability.  The program then opens a file (that it initially
> couldn't) and
> then calls AIFPROCPUT to remove SM from process A.B.C.  If the user
> manages
> to kill the program at exactly the right time (ie between the
> AIFPROCPUT
> granting SM and the AIFPROCPUT removing SM) this would have no bearing
> on
> the CI.
>
> If my thinking is right, no matter how A.B.C is aborted, the temporary
> SM
> capability would be lost and there would be no security breach.  Also,
> the
> reason that I keep giving SM and taking SM away from A.B.C is to make
> the
> example simpler.  In reality I would probably give SM to the process
> and
> only take it away if I allowed the user to execute CI commands from
> within
> the program (in which case if I left SM on the process the user would
> have a
> means of exploiting the SM capability).
>
>
> ---------------------------------------------------
> Michael P. Smith
> Hertz Corporation
> Sr. Systems Programmer
>
        <snip>

ATOM RSS1 RSS2