i was gonna bring it up here but considering the reception I got on c.o.v. I couldn't be bothered...
Sampsa
On 22 Aug 2008, at 16:54, gerry77 at mail.com wrote:
I suppose you all have read about the VMS security bug that is being discussed
since about a week on comp.os.vms. Anyway, having read nothing about it here,
I thought useful to warn all the system administrators who read this mailing
list and which have VMS nodes with guest access on HECnet and/or Internet
about potential security treats to which their systems are exposed.
All VMS versions (VAX since V5.x, AXP and I64 since their beginning) are
exposed to a local exploit that allows any unprivileged user to gain almost
any privilege! The problem lies in SYS$SHARE:SMGSHR.EXE which is used for CLI
processing in many system utilites installed with high privileges (i.e.
INSTALL.EXE, SYSMAN.EXE, SHWCLSTR.EXE, etc.).
HP has just released mandatory patches for some versions while others, notably
all the VAX and older Alpha ones, are still exposed. Look for kits named like
VMSxxx_SMGRTL-V0100 in ftp://ftp.itrc.hp.com/openvms_patches
A partial solution for those systems for which there isn't a patch appears to
be an ACL to deny access to some utilities by non trusted users. The list that
follows contains the names of those images that I think most dangerous, but I
will be "happy" to add more names if you discover them:
AUTHORIZE.EXE
INSTALL.EXE
NCP.EXE
SHWCLSTR.EXE
SYSMAN.EXE
TCPIP$FTP_CLIENT.EXE (VAX)
TCPIP$TELNET.EXE (AXP)
TCPIP$UCP.EXE
Please note that I'm NOT sure about this, i.e. there may be a workaround for
this workaround which I haven't thought of.
G.
Paul Koning wrote:
"Johnny" == Johnny Billquist <bqt at softjar.se> writes:
Johnny> Hmm. As far as I know, HECnet have never made use of any
Johnny> homemade hardware. However, the first links I used, were over
Johnny> serial ports talking DDCMP, that I tunneled. I could still do
Johnny> that, if needed. It's even simpler than bridging
Johnny> ethernet. The only "problem" is that asynch serial DECnet
Johnny> don't go any faster than 9600 bps. Atleast under RSX.
Johnny> Another problem is that as far as I can tell, only RSX and
Johnny> VMS supports that.
RSTS does too (for sufficiently recent versions, like V10 or so) --
though the NCP bits don't seem to be there. But there's a driver and
it can be told to turn on if you issue the DECnet control syscalls
directly.
Aha. I think I looked at RSTS/E DECnet SPD only, and didn't find any mention of it, back when I was playing with that.
Or perhaps I got the information from somewhere else. Can't remember for certain right now.
I wonder why you can't set it from NCP though? Weird if they have the functionality, but no "normal" way of enabling it.
On a Pro it even works in synchronous mode (because there the "UART"
is actually a USART).
I don't think you can set it to synch mode in DECnet, though, so that is more of a theoretical thing.
But yes, RSX supports both synch and asynch mode.
Johnny
"Johnny" == Johnny Billquist <bqt at softjar.se> writes:
Johnny> Hmm. As far as I know, HECnet have never made use of any
Johnny> homemade hardware. However, the first links I used, were over
Johnny> serial ports talking DDCMP, that I tunneled. I could still do
Johnny> that, if needed. It's even simpler than bridging
Johnny> ethernet. The only "problem" is that asynch serial DECnet
Johnny> don't go any faster than 9600 bps. Atleast under RSX.
Johnny> Another problem is that as far as I can tell, only RSX and
Johnny> VMS supports that.
RSTS does too (for sufficiently recent versions, like V10 or so) --
though the NCP bits don't seem to be there. But there's a driver and
it can be told to turn on if you issue the DECnet control syscalls
directly.
On a Pro it even works in synchronous mode (because there the "UART"
is actually a USART).
paul
gerry77 at mail.com wrote:
On Fri, 22 Aug 2008 15:04:57 +0200, you wrote:
Definitely. So, why did you pick area numbers that were already used in HEcnet? :-)
We started as a group of people with some DEC hardware, not ever thinking that
some day we would have a working DECnet. Many systems hadn't DECnet loaded and
others had addresses like 1.1, 1.2, and so on just to play with some local
link. Johnny bridge didn't existed and we didn't knew anything about Multinet.
I think a lot of places have used area 1 at one time or another... So an area change is sometimes needed. No way of avoiding that. :-)
When we first heard about HECnet it was running with some homemade hardware
and there was Magica online! :-) We were not able to do that and stopped.
Hmm. As far as I know, HECnet have never made use of any homemade hardware. However, the first links I used, were over serial ports talking DDCMP, that I tunneled. I could still do that, if needed. It's even simpler than bridging ethernet. The only "problem" is that asynch serial DECnet don't go any faster than 9600 bps. Atleast under RSX.
Another problem is that as far as I can tell, only RSX and VMS supports that.
Anyway, at that point it should have been obvious that you had a node number clash if you ever wanted to connect to HECnet. :-)
The addressing scheme was enforced but not changed and we ended with the
actual setup. Once we thought about changing our area number from 1 to 39
(because +39 is the international dialling prefix for Italy), but we didn't
need such a change so it's still only an almost forgotten idea. :-)
It would definitely be great if you were to do the number change, and then connect to the rest of us. That should be pretty easy, and shouldn't have to take that much time.
Johnny
On Fri, 22 Aug 2008 15:04:57 +0200, you wrote:
Definitely. So, why did you pick area numbers that were already used in
HEcnet? :-)
We started as a group of people with some DEC hardware, not ever thinking that
some day we would have a working DECnet. Many systems hadn't DECnet loaded and
others had addresses like 1.1, 1.2, and so on just to play with some local
link. Johnny bridge didn't existed and we didn't knew anything about Multinet.
When we first heard about HECnet it was running with some homemade hardware
and there was Magica online! :-) We were not able to do that and stopped.
Some years later we tested Multinet and TCPware tunnels, but our ADSL (and
ISDN) dynamic IP address links proved to be very troublesome. we hadn't enough
bandwith to create a central site for a star topology network and mesh
networks with Multinet were not feasible, so we stopped again. Anyway, with
Multinet we started to (very) loosely coordinate addresses among us.
Years later (autumn 2006) we started for the third time to think about a true
DECnet and we tried again either Multinet tunnels or DECnet Plus, and finally
discovered that HECnet had grown and there was Johnny's bridge available...
The addressing scheme was enforced but not changed and we ended with the
actual setup. Once we thought about changing our area number from 1 to 39
(because +39 is the international dialling prefix for Italy), but we didn't
need such a change so it's still only an almost forgotten idea. :-)
G.
I suppose you all have read about the VMS security bug that is being discussed
since about a week on comp.os.vms. Anyway, having read nothing about it here,
I thought useful to warn all the system administrators who read this mailing
list and which have VMS nodes with guest access on HECnet and/or Internet
about potential security treats to which their systems are exposed.
All VMS versions (VAX since V5.x, AXP and I64 since their beginning) are
exposed to a local exploit that allows any unprivileged user to gain almost
any privilege! The problem lies in SYS$SHARE:SMGSHR.EXE which is used for CLI
processing in many system utilites installed with high privileges (i.e.
INSTALL.EXE, SYSMAN.EXE, SHWCLSTR.EXE, etc.).
HP has just released mandatory patches for some versions while others, notably
all the VAX and older Alpha ones, are still exposed. Look for kits named like
VMSxxx_SMGRTL-V0100 in ftp://ftp.itrc.hp.com/openvms_patches
A partial solution for those systems for which there isn't a patch appears to
be an ACL to deny access to some utilities by non trusted users. The list that
follows contains the names of those images that I think most dangerous, but I
will be "happy" to add more names if you discover them:
AUTHORIZE.EXE
INSTALL.EXE
NCP.EXE
SHWCLSTR.EXE
SYSMAN.EXE
TCPIP$FTP_CLIENT.EXE (VAX)
TCPIP$TELNET.EXE (AXP)
TCPIP$UCP.EXE
Please note that I'm NOT sure about this, i.e. there may be a workaround for
this workaround which I haven't thought of.
G.
At 7:55 AM +0100 8/22/08, Christine Caulfield wrote:
Zane H. Healy wrote:
By they way, Angela, you don't need to be running dnroute if your node
is an end-node (which it seems to be). In a situation where the rest of
it doesn't seem to be working properly it's only confusing the issue I
suspect :)
Chrissie,
Am I reading this to mean that it is possible to use a Linux box as a DECnet
Area Router? If so how hard is it to setup on Ubuntu? I haven't played
with Linux DECnet in close to a decade.
It should be fairly easy, though I haven't done it for ages!
Cool! I'll keep this in mind should I have further problems with keeping a VAX online. I've never really used the VAXstation 4000/60 that I replaced my VLC with last night. So far it's still up though. Unfortunately it appears the onboard NIC is bad on my /90.
Zane
--
| Zane H. Healy | UNIX Systems Administrator |
| healyzh at aracnet.com (primary) | OpenVMS Enthusiast |
| MONK::HEALYZH (DECnet) | Classic Computer Collector |
+----------------------------------+----------------------------+
| Empire of the Petal Throne and Traveller Role Playing, |
| PDP-10 Emulation and Zane's Computer Museum. |
| http://www.aracnet.com/~healyzh/ |
gerry77 at mail.com wrote:
On Fri, 22 Aug 2008 08:11:37 +0200, you wrote:
Well, I would keep LAT and Infoserver traffic separate. :-)
Somewhere into the future somebody will do that too :-) One of us had just got a beautiful InfoServer 1000 in InfoTower configuration,
and we were longing to test it across the net, so we just addedd its ethertype
to the bridge and ran it. The change from [lat] to [lan] came later, when we
decided to release the update.
BTW, that bridge configuration section already controlled not only LAT but
also MOP Remote Console and Dump/Load, so we just added a protocol to the
circus and then felt that [lan] was a better choice to describe it.
Actually, the MOP Remote Console and Dump/Load is what a LAT server normally use to boot and be managed. :-) (Unless it's one of those models that don't boot remote.)
That's why there are in there bundled.
Not much fun with a LAT terminal server if it can't boot.
Johnny
On Fri, 22 Aug 2008 08:11:37 +0200, you wrote:
Well, I would keep LAT and Infoserver traffic separate. :-)
Somewhere into the future somebody will do that too :-)
One of us had just got a beautiful InfoServer 1000 in InfoTower configuration,
and we were longing to test it across the net, so we just addedd its ethertype
to the bridge and ran it. The change from [lat] to [lan] came later, when we
decided to release the update.
BTW, that bridge configuration section already controlled not only LAT but
also MOP Remote Console and Dump/Load, so we just added a protocol to the
circus and then felt that [lan] was a better choice to describe it.
The perfect solution would have been (*) to have at least three different
sections like [lat], [mop] and [infoserver], but we were to lazy to do that
much work and delaying our InfoServer tests :P
G.
Sampsa Laine wrote:
On 22 Aug 2008, at 13:06, gerry77 at mail.com wrote:
BTW, our network is a lot smaller than HECnet and we ran without any router
for almost two years. In other words, one size does not fit all and YMMV. :-)
G.
Out of curiosity I looked at your node list on your webpage and you seem to have quite a few active hosts. It's a pity you used the same area number as us, it might be fun to link the two networks together at some point.
Definitely. So, why did you pick area numbers that were already used in HEcnet? :-)
Johnny
