[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference iosg::all-in-1_v30

Title:*OLD* ALL-IN-1 (tm) Support Conference
Notice:Closed - See Note 4331.l to move to IOSG::ALL-IN-1
Moderator:IOSG::PYE
Created:Thu Jan 30 1992
Last Modified:Tue Jan 23 1996
Last Successful Update:Fri Jun 06 1997
Number of topics:4343
Total number of notes:18308

2397.0. "Is <newdir a security breach?" by HPOP03::TROTTI () Thu Mar 11 1993 17:01

I have a customer who as just learned that a privileged user can
enter <NEWDIR and be allowed to read 'the Presidents E-MAIL'.

How have you addressed this issue.  Is is best to talk about it as
a feature or to yank it out of the code.  If you have addressed it 
technically how would you go about taking it out of ALL-IN-1.

Thanks

Mike

Burlington, Ontario
T.RTitleUserPersonal
Name		DateLines
2397.1Discussed many times - here's one pointerAIMTEC::WICKS_AOscar the Grouch is an Optimist!Thu Mar 11 1993 17:057
    Mike,
    
    Note 1132 discusses disabling the <NEWDIR function
    
    Regards,
    
    Andrew.D.Wicks
2397.2That's the way VMS works...SCOTTC::MARSHALLSpitfire Drivers Do It ToplessThu Mar 11 1993 19:2210
re .0

A privileged user can go to DCL, then $ SET DEF to the president's directory,
and read everything there!

It isn't a security problem.  It's a fact of life: if you give a user
privileges, then they can do this sort of thing.  If you don't want them to
do it, don't give them privileges.

Scott
2397.3You're absolutely right Scott!HPOP03::TROTTIThu Mar 11 1993 20:416
re: -.1

I agree with you Scott, If you can't trust the MIS administrators, then 
the company has more serious problems than <NEWDIR.

mike
2397.4FCS could still be usedCHRLIE::HUSTONThu Mar 11 1993 20:497
    
    besides, if they have the privs to do a <newdir, they probably
    have the privs (given a V3.** system), to do an IAD, ADR, then 
    read what ever they want from the drawer.
    
    --Bob