| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 2667.1 | $INIT DUA0 etc..... | IOSG::PYE | Graham - ALL-IN-1 Sorcerer's Apprentice | Thu May 08 1997 14:30 | 41 |
| 1) This is an RMS question, not an ALL-IN-1 question. We just open
files, and write records. I have no idea how RMS decides how many
blocks you get when you open the file (presumably it's something to do
with the cluster size?) or whether they are initialised first, although
I think the latter is affected by whether you have /HIGH_WATER_MARK
turned on for the volume, I think. I presume that this site will be
using that if it's worried about security.
Also, I don't think that blocks are emptied when a file is deleted,
although this can be done from DCL with DELETE/ERASE. Since we'll be
deleting the shared area file (when the WASTEBASKET is emptied and all
usage of the file has gone away) from code, this doesn't help much. I
know we won't be setting the erase flag from code, since it makes
things much slower.
What happens with deleted blocks I couldn't say, although I believe
that OpenVMS reuses recently deleted blocks first. You need to ask the
RMS people, or look in the File System Internals books.
I suggest that they initialise the disc containing the shared area, and
restore a backup from before the secure document was created, since
this is the only certain way to make sure that parts of the file don't
still exist.
You also need to worry about any parts of the file that might have been
in memory (disc buffers, cache, etc.) and that memory subsequently
being reused for other purposes. Perhaps it would be safer to
initialise all the discs (including the system disc of course) and
restore a full backup.
2) I think that it's unlikely we'll do anything other than read records
line by line out of the file and pass them to the PC.
BUT if the file was block structured, then this might not be true. So,
you'd better initialise all the PC discs too.....
Can we sell them a security review? It sounds like there's something
badly wrong with their processes if they can inadvertently use the
wrong machine!!
Graham
|
| 2667.2 | Check the VMSNOTES or RMS_OPENVMS conference | TAY2P1::HOWARD | Whoever it takes | Thu May 08 1997 16:21 | 15 |
| I think if you check into HIGH_WATER_MARKING you find out what you want
to know. Every ALL-IN-1 tuning guide says to turn it off for
performance, but as Graham said, ALL-IN-1 just tells RMS what it
wants; the specifics of file allocation is left up to RMS, so it will
still work. Frank N. was really good at this stuff, but he is long
gone ;-(
One of the things that is so nice about ALL-IN-1 is that it takes
advantage of what is already out there, using the standard features of
VMS. So when major improvements like disk shadowing, clusters or
different disk types came along, ALL-IN-1 kept working. One of the
problems with WordPerfect is that they like to dicker with low-level
calls and get into trouble when things change.
Ben
|
| 2667.3 | $INIT/ERASE too | IOSG::ELLIOTTR | Russell Elliott | Thu May 08 1997 16:33 | 9 |
|
One thing to bare in mind - even when you INITIALIZE a disk, data can
still be recovered. You must specify the /ERASE qualifier (NOERASE is
the default). It works like the DELETE/ERASE command, by replacing the
data with a specified sequence of data.
I had to do this once when a returned a hired disk drive.
Russ.
|
| 2667.4 | | IJSAPL::DEWIJK | GJ from the Dutchlands | Fri May 09 1997 19:42 | 7 |
| Hi,
what about the $SET VOLUME/ERASE command
takes care of the whole volume, without a need to change the
appilcations.
GJ
|
| 2667.5 | Customer won't go away! | AIMTEC::BRASWELL_A | | Wed May 14 1997 22:49 | 13 |
| Customer (sensitive government site) is saying that priv'd routines that
do qios are shipping portions of previously deleted files along with
currently requested records such as DDS lookup or messages with portion
of previously deleted NBS records from a system setup for security
(highwater marking - "erase on delete" is not being done for performance
reasons) to non-secure systems such as PC clients. These files can then
be looked at using debug/dump/etc. by someone knowledgeable.
Can we be certain that none of the ALL-IN-1 servers do qio in priv'd mode
to send requested record(s) to the client?
Thanks!
Alice
|
| 2667.6 | DEEP DEEP Sigh........... | IOSG::PYE | Graham - ALL-IN-1 Sorcerer's Apprentice | Thu May 15 1997 10:41 | 34 |
| <<<< (highwater marking - "erase on delete" is not being done for
<<<< performance reasons)
Please send the text of my .1 reply to the customer. Then get them sent
on an RMS course and a security course. If the system is supposed to be
even remotely secure, then they must set HIGHWATER marking and the SET
VOLUME command mentioned in a previous reply, otherwise, it IS NOT A
SECURE SYSTEM (Yes, I am shouting!!!) If they want it secure, then they
have to take some performance hit.
<<<< Customer (sensitive government site) is saying that priv'd
<<<< routines that do qios are shipping portions of previously deleted
<<<< files along with currently requested records such as DDS lookup or
<<<< messages with portion of previously deleted NBS records
This proves that the customer knows b***er all about how RMS (and
probably all other file systems work). Privileges are irrelevant, the
system always gives bits of memory and disc to applications without
clearing it first, and they can reproduce that effect with a ten line
user mode, non-privileged BASIC program. Or perhaps even DCL!!!!
<<<< Can we be certain that none of the ALL-IN-1 servers do qio in
<<<< priv'd mode
I can say with *COMPLETE* certainty that almost all the QIOs that
ALL-IN-1 (and its servers) perform will be with privileges turned on.
How else does this customer think that unprivileged users get records
written to, and read from, files in the shared areas? Magic?
I hope this place doesn't control anything like nuclear bombs, or
biological warfare, that might affect me!!!!!
Graham
|
| 2667.7 | | AIMTEC::ZANIEWSKI_D | Add Jean to the list of deserters! | Thu May 15 1997 14:08 | 8 |
| Be very afraid Graham. I know who Alice's customer is and they
control every dangerous thing imaginable.
Alice, after convincing them they RMS and security courses, get
them to by the security rated version of VMS. Maybe convince them
that they need to upgrade to GOLD or PLATINUM support too.
Dave Zaniewski
|
| 2667.8 | gone for now | ALFSS2::BEKELE_D | When indoubt THINK! | Thu May 15 1997 17:27 | 20 |
| Graham,
You are right on the money on the nature of this site and I do
not blame you for shouting one bit! Alice came to me even before she
posted this string and I had advised her (almost verbatim including asking
the customer to talk to RMS folks if he needs a more "authoritative
answer) with what you had to say in .1.
Unfortunately, the guy ("consultant - royal pain in the you_know_
where!") did call RMS support and he was told "it is upto the application."
and he came right back to Alice! Btw, he has highwater turned on; it is
SET VOLUME/ERASE_ON_ he objects to for performance reasons (Alice had me
talk to him and he had me dumb founded when he made his objections given
the nature of the site!) Anyway, I have a) stressed that he use
/ERASE_ON b) consider SEVMS c) check out
http://www.openvms.digital.com/openvms/Security.html
for additional multi-platform product/service.
Dan
|