[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference bulova::decw_jan-89_to_nov-90

Title:	DECWINDOWS 26-JAN-89 to 29-NOV-90
Notice:	See 1639.0 for VMS V5.3 kit; 2043.0 for 5.4 IFT kit
Moderator:	STAR::VATNE

Created:	Mon Oct 30 1989
Last Modified:	Mon Dec 31 1990
Last Successful Update:	Fri Jun 06 1997
Number of topics:	3726
Total number of notes:	19516

17.0. "Task object and security" by KATO::NOFSINGER () Thu Jan 26 1989 13:01

    
    After installing decwindows on V5.1 I noticed that the task object
    had been recreated (by the decwindows startup routine.)  Security
    has issued a directive, however, banning this useful object.  Am
    I missing something or does this stop Decwindows client/server 
    connections?

T.R	Title	User	Personal Name	Date	Lines
17.1	! == Comment	DECWIN::FISHER	Burns Fisher 381-1466, ZKO3-4/W23	`Thu Jan 26 1989 13:19`	8
	Note that the code that does this is commented out. DECWindows does use object 0, and specified an object name, but it does not (any longer) require TASK. Burns
17.2	could be pilot error	IAGO::SCHOELLER	Who's on first?	`Thu Jan 26 1989 13:39`	24
	If the means by which you cleared the TASK object was $MCR NCP NCP>CLEAR OBJECT TASK NCP>EXIT then any time you restart the net it comes back. What you should do instead is $MCR NCP NCP>DEF OBJ TASK PASS DISABLE ACCOUNT DISABLE NUMBER 0 NCP>SET OBJ TASK ALL NCP>EXIT This will change your permanent database. Optionally you can put PROXY BOTH on the TASK object and that will make it work for people with proxy access to your system but not for others. If you have PROXY NONE (the default) then TASK is effectively disabled. Dick
17.3	Still Curious	KATO::NOFSINGER		`Thu Jan 26 1989 14:21`	3
	I see the new object but why doesn't this raise the same security problems?
17.4	details of TASK	IAGO::SCHOELLER	Who's on first?	`Thu Jan 26 1989 14:59`	13
	The default TASK object is created by DECNET startup if there is no previously existing TASK OBJECT. This object has no account or password. It therefore uses the DECNET default account. Any random person could copy a file to the sys$specific:[decnet] directory and then execute it with TASK (ala the worm). If you change TASK to a bogus account and password then the only way it can be used is with a user account and password combination. Adding proxy enables trusted user accounts to use TASK without including passwords in their invoccation of the TASK object. Does that make it clearer. Dick
17.5	What I meant...	DECWIN::FISHER	Burns Fisher 381-1466, ZKO3-4/W23	`Thu Jan 26 1989 15:08`	13
	1. I'm not a DECnet heavy, ok? But... 2. I did not claim that we cleared the task object. Only that we don't explicitly create it. There is code in DECW$STARTUP that creates it, but that is commented out. 3. The problem with the TASK object is that you can use it (in conjunction with the default DECnet account to run an arbitrary .COM file remotely. X$X0 does not do that. Thus it does not present the same security issue. Burns