I suppose you all have read about the VMS security bug that is being discussed
since about a week on comp.os.vms. Anyway, having read nothing about it here,
I thought useful to warn all the system administrators who read this mailing
list and which have VMS nodes with guest access on HECnet and/or Internet
about potential security treats to which their systems are exposed.
All VMS versions (VAX since V5.x, AXP and I64 since their beginning) are
exposed to a local exploit that allows any unprivileged user to gain almost
any privilege! The problem lies in SYS$SHARE:SMGSHR.EXE which is used for CLI
processing in many system utilites installed with high privileges (i.e.
INSTALL.EXE, SYSMAN.EXE, SHWCLSTR.EXE, etc.).
HP has just released mandatory patches for some versions while others, notably
all the VAX and older Alpha ones, are still exposed. Look for kits named like
VMSxxx_SMGRTL-V0100 in ftp://ftp.itrc.hp.com/openvms_patches
A partial solution for those systems for which there isn't a patch appears to
be an ACL to deny access to some utilities by non trusted users. The list that
follows contains the names of those images that I think most dangerous, but I
will be "happy" to add more names if you discover them:
AUTHORIZE.EXE
INSTALL.EXE
NCP.EXE
SHWCLSTR.EXE
SYSMAN.EXE
TCPIP$FTP_CLIENT.EXE (VAX)
TCPIP$TELNET.EXE (AXP)
TCPIP$UCP.EXE
Please note that I'm NOT sure about this, i.e. there may be a workaround for
this workaround which I haven't thought of.
G.
At 7:55 AM +0100 8/22/08, Christine Caulfield wrote:
Zane H. Healy wrote:
By they way, Angela, you don't need to be running dnroute if your node
is an end-node (which it seems to be). In a situation where the rest of
it doesn't seem to be working properly it's only confusing the issue I
suspect :)
Chrissie,
Am I reading this to mean that it is possible to use a Linux box as a DECnet
Area Router? If so how hard is it to setup on Ubuntu? I haven't played
with Linux DECnet in close to a decade.
It should be fairly easy, though I haven't done it for ages!
Cool! I'll keep this in mind should I have further problems with keeping a VAX online. I've never really used the VAXstation 4000/60 that I replaced my VLC with last night. So far it's still up though. Unfortunately it appears the onboard NIC is bad on my /90.
Zane
--
| Zane H. Healy | UNIX Systems Administrator |
| healyzh at aracnet.com (primary) | OpenVMS Enthusiast |
| MONK::HEALYZH (DECnet) | Classic Computer Collector |
+----------------------------------+----------------------------+
| Empire of the Petal Throne and Traveller Role Playing, |
| PDP-10 Emulation and Zane's Computer Museum. |
| http://www.aracnet.com/~healyzh/ |
gerry77 at mail.com wrote:
On Fri, 22 Aug 2008 08:11:37 +0200, you wrote:
Well, I would keep LAT and Infoserver traffic separate. :-)
Somewhere into the future somebody will do that too :-) One of us had just got a beautiful InfoServer 1000 in InfoTower configuration,
and we were longing to test it across the net, so we just addedd its ethertype
to the bridge and ran it. The change from [lat] to [lan] came later, when we
decided to release the update.
BTW, that bridge configuration section already controlled not only LAT but
also MOP Remote Console and Dump/Load, so we just added a protocol to the
circus and then felt that [lan] was a better choice to describe it.
Actually, the MOP Remote Console and Dump/Load is what a LAT server normally use to boot and be managed. :-) (Unless it's one of those models that don't boot remote.)
That's why there are in there bundled.
Not much fun with a LAT terminal server if it can't boot.
Johnny
On Fri, 22 Aug 2008 08:11:37 +0200, you wrote:
Well, I would keep LAT and Infoserver traffic separate. :-)
Somewhere into the future somebody will do that too :-)
One of us had just got a beautiful InfoServer 1000 in InfoTower configuration,
and we were longing to test it across the net, so we just addedd its ethertype
to the bridge and ran it. The change from [lat] to [lan] came later, when we
decided to release the update.
BTW, that bridge configuration section already controlled not only LAT but
also MOP Remote Console and Dump/Load, so we just added a protocol to the
circus and then felt that [lan] was a better choice to describe it.
The perfect solution would have been (*) to have at least three different
sections like [lat], [mop] and [infoserver], but we were to lazy to do that
much work and delaying our InfoServer tests :P
G.
Sampsa Laine wrote:
On 22 Aug 2008, at 13:06, gerry77 at mail.com wrote:
BTW, our network is a lot smaller than HECnet and we ran without any router
for almost two years. In other words, one size does not fit all and YMMV. :-)
G.
Out of curiosity I looked at your node list on your webpage and you seem to have quite a few active hosts. It's a pity you used the same area number as us, it might be fun to link the two networks together at some point.
Definitely. So, why did you pick area numbers that were already used in HEcnet? :-)
Johnny
On 22 Aug 2008, at 13:06, gerry77 at mail.com wrote:
BTW, our network is a lot smaller than HECnet and we ran without any router
for almost two years. In other words, one size does not fit all and YMMV. :-)
G.
Out of curiosity I looked at your node list on your webpage and you seem to have quite a few active hosts. It's a pity you used the same area number as us, it might be fun to link the two networks together at some point.
Sampsa
On Fri, 22 Aug 2008 08:11:37 +0200, you wrote:
Unfortunately you can't specify the timeouts that the DNS lookups should use. :-(
This the main reason why I choose not to have that functionality in my code.
This reminds me that we had some circuit stability problems in the past, due
to network transients and probably also to abnormal DNS lookup delays which
stalled the bridge. For this, and to reduce overall idle network traffic, long
ago we decided to set DECnet hello timer and LAT keepalive delays up to 90
seconds replacing the 10 (15?) seconds default value. Since then our network
is a lot more stable, i.e. no more up'n'down in operator.log and drawbacks
caused by that change (like slower adjacency change detection and so on) are
far more acceptable than the original problem. :-)
BTW, our network is a lot smaller than HECnet and we ran without any router
for almost two years. In other words, one size does not fit all and YMMV. :-)
G.
John Wilson wrote:
From: gerry77 at mail.com
Also, name lookups can take time, and meanwhile the bridge is stopped. If someone have a seriously bad setup dns, this could means hanging the bridge for half a minute per such host (or more). It also increases the
Honestly I think we have overlooked that issue and never really considered it,
maybe because we never stumbled upon it. I wonder if it would be possible to
specify a very short timeout for DNS lookups while performed by the bridge...
... or spin off a thread and do the lookup there (the Right Way :-).
That would be the right way, yes. :-)
However, I don't really feel like rewriting it as a threaded application. If I would, then I think I'd get rid of the select code as well, and have one thread per link, or possibly two...
But I'm just not enough motivated. Right now, I'm more interested in doing some more hacking in RSX...
Speaking of which. Is there anyone who have the complete distribution of Modula-2 for RSX? I have a somewhat damaged distribution, but would like to get it complete.
Johnny
Zane H. Healy wrote:
By they way, Angela, you don't need to be running dnroute if your node
is an end-node (which it seems to be). In a situation where the rest of
it doesn't seem to be working properly it's only confusing the issue I
suspect :)
Chrissie,
Am I reading this to mean that it is possible to use a Linux box as a DECnet
Area Router? If so how hard is it to setup on Ubuntu? I haven't played
with Linux DECnet in close to a decade.
It should be fairly easy, though I haven't done it for ages!
If Ubuntu has the same startup scripts as Debian then it should be just
a case of enabling routing in /etc/defaults/decnet and starting the
dnroute daemon (which you can also specify in that file). dnroute will
listen for (and send) routing messages and set routes to the nodes it
finds. To use Linux as an area router you need to do a few more things
such as start dnroute with the '-2' switch and tell the kernel the
router level eg:
echo "2" > /proc/sys/net/decnet/conf/eth0/forwarding
echo "2" > /proc/sys/net/decnet/conf/eth1/forwarding
echo "10" > /proc/sys/net/decnet/conf/eth0/priority
echo "10" > /proc/sys/net/decnet/conf/eth1/priority
the dnetinfo command will query the status of the routing daemon and
give you a display similar to the VMS SHOW NETWORK[/OLD] command.
/me makes a note to update the FAQ
Chrissie
gerry77 at mail.com skrev:
On Thu, 21 Aug 2008 11:58:01 +0200, you wrote:
What about http://decnet.ipv7.net/files/decnet-bridge_0.7-4.tar.gz ? :-P
A few things should perhaps be pointed out. The config file is not compatible with my bridge program, so people who change need to be aware that they have to modify that.
... Or you (or someone else) could integrate into your original bridge some of
our changes when- where- and however you like. You granted us permission to
use your code as a starting point for our modifications, now you are obviously
entitled to do whatever you want with our code. Don't even think to ask. :-)
Well, I would keep LAT and Infoserver traffic separate. :-)
Also, name lookups can take time, and meanwhile the bridge is stopped. If someone have a seriously bad setup dns, this could means hanging the bridge for half a minute per such host (or more). It also increases the
Honestly I think we have overlooked that issue and never really considered it,
maybe because we never stumbled upon it. I wonder if it would be possible to
specify a very short timeout for DNS lookups while performed by the bridge...
Unfortunately you can't specify the timeouts that the DNS lookups should use. :-(
This the main reason why I choose not to have that functionality in my code.
Johnny
--
Johnny Billquist || "I'm on a bus
|| on a psychedelic trip
email: bqt at softjar.se || Reading murder books
pdp is alive! || tryin' to stay hip" - B. Idol
