Conference ilbbak::ibi_focus

248.0. "How do you handle SU and security problems?" by BLITZN::SMITHL (Lisa Smith) Mon Aug 14 1989 19:08

    Hi,
    
    I am new to this conference, and I am wondering how different sites
    are handling running the FOCUS SU server.
    
    I have been informed that the DECNET object of task0 must be up
    and running in order for the SU server to be able to communicate
    with DECNET.  Well, our Security Manager has a problem with this,
    since the task0 object will allow arbitrary command files to be
    executed on the system.  I have read the notes that reference the
    SU server, and one of them mentioned that IBI was going to look
    in to changing FOCUS so that it didn't rely on the task0.  I have
    also talked to one DEC employee who is using the SU server, and
    he said that they installed the task0 on a non-production machine.
    
    Since the 13-Mar-1989 draft of the "M/E/M Computer Security Policies
    and Procedures" manual states not to turn on general TASK access,
    our Security Manager is very, very reluctant to turn on task0 for
    a production or non-production machine.  Since, I do not know if or
    when IBI is going to change FOCUS, I am at a loss as to how I can get
    multiple write access to my database!
    
    Does anyone have any ideas?
    
    Lisa

    Lisa,
    
    	Associate the TASK0 object with a UAF entry but an incorrect
    password, then grant the account running the SU proxy access to
    the TASK0 UAF entry.  It's sneaky, but it works.
    
    Curtis Coppersmith

    
    Thanks Curtis!
    
    I'll talk to our Security Manager and see if he'll give it a try.
    
    Lisa