1 INFO-VAX	Sun, 01 Aug 2004	Volume 2004 : Issue 423       Contents:8 Re: Bind a socket to a low port number without privilege8 Re: Bind a socket to a low port number without privilege8 Re: Bind a socket to a low port number without privilege Re: End-Of-Support OpenVMS7.1-2 % Re: Multinet on VMS 5.5 please HELP !  Q:security (DECNET)? Re: Q:security (DECNET)? Re: Q:security (DECNET)? Which IP Networking Package?  Re: Which IP Networking Package?  Re: Which IP Networking Package?$ [Announce] FreeVMS boots under bochs2 Re: [Somewhat OT] What your non-OVMS machines run?  F ----------------------------------------------------------------------  % Date: Sun, 01 Aug 2004 17:18:33 +0930 * From: Mark Daniel <mark.daniel@vsm.com.au>A Subject: Re: Bind a socket to a low port number without privilege - Message-ID: <410ca063@duster.adelaide.on.net>    jf.pieronne@laposte.net wrote:F > I have successfully port and run an anti-spam/anti-virus SMTP proxy  > server on VMS.I > But as the process need to access port 25 (standard SMTP port), I need  C > to grant to the process either SYSPRV, BYPASS, or OPER privilege.  > F > The program language is PERL, so I can't install the image with the  > necessary privilege. > = > I will be more confident if I can run it without privilege.  > J > So, is it doable to grant the right to access a low port number (<1024) I > to a process which don't have any important privilege or an system UIC?  >  >  > Thanks for any help. >  > Jean-Franois   H If all else fails why not copy PERL.EXE to MY_EXE:MY_PERL.EXE, add some I ACL to control which account(s) can access it, and then INSTALL with the  G required privileges.  Might need to do a similar thing with any shared  E image (haven't tried this sort of thing).  All the wrapper procedure   then need to do is  "    $ PERL == "$MY_EXE:MY_PERL.EXE"    $ PERL blahblah.pl   ? OPER would be much safer than either BYPASS or SYSPRV for this.   H I'm sure others in this forum will be able to identify any shortcomings  with this approach ;^)   ------------------------------  % Date: Sun, 01 Aug 2004 12:17:51 +0200  From: jf.pieronne@laposte.net A Subject: Re: Bind a socket to a low port number without privilege 2 Message-ID: <ceig0n$ouk$1@news-reader3.wanadoo.fr>   Mark Daniel wrote:  > jf.pieronne@laposte.net wrote: > G >> I have successfully port and run an anti-spam/anti-virus SMTP proxy   >> server on VMS. J >> But as the process need to access port 25 (standard SMTP port), I need D >> to grant to the process either SYSPRV, BYPASS, or OPER privilege. >>G >> The program language is PERL, so I can't install the image with the   >> necessary privilege.  >>> >> I will be more confident if I can run it without privilege. >>C >> So, is it doable to grant the right to access a low port number  G >> (<1024) to a process which don't have any important privilege or an   >> system UIC? >> >> >> Thanks for any help.  >> >> Jean-Franois >  > J > If all else fails why not copy PERL.EXE to MY_EXE:MY_PERL.EXE, add some K > ACL to control which account(s) can access it, and then INSTALL with the  I > required privileges.  Might need to do a similar thing with any shared  G > image (haven't tried this sort of thing).  All the wrapper procedure   > then need to do is > # >   $ PERL == "$MY_EXE:MY_PERL.EXE"  >   $ PERL blahblah.pl > A > OPER would be much safer than either BYPASS or SYSPRV for this.  > J > I'm sure others in this forum will be able to identify any shortcomings  > with this approach ;^)   Thanks Mark,  F currently I have used OPER, set the account captive and set LGICMD to * SYS$MANAGER:LOGIN_ASSP.COM which finish by $ perl assp.pl "." $ logout  9 So the process probably cannot escape the perl script but D I don't know if PERL code injection is doable, so installing a PERL G interpreter with privileges would probably not fully solve the problem.      JF   ------------------------------  * Date: Sun, 1 Aug 2004 10:56:12 +0000 (UTC)? From: Graham Burley <burley.not-this@encompasserve-or-this.org> A Subject: Re: Bind a socket to a low port number without privilege 9 Message-ID: <410CCC08.2B102DC2@encompasserve-or-this.org>    JF Mezei wrote:  >   > jf.pieronne@laposte.net wrote:P > > So, is it doable to grant the right to access a low port number (<1024) to aF > > process which don't have any important privilege or an system UIC? > P > I initially was to suggest that by defining the service with TCPIP SET SERVICEL > that you could get away without privileges (since the application would beO > defined in the TCPIP database). That way, it could run some command procedure 9 > that then invoke perl and did what you wanted it to do.  >   H I think you're right there, the service account doesn't need any specialE pivileges. The TCPIP auxiliary server has the privs to bind the <1024 A port, it passes the connected socket to the newly created service  process as SYS$NET.      Graham   ------------------------------  # Date: Sun, 01 Aug 2004 08:16:37 GMT ! From: Nigel Barker <nigel@hp.com> ( Subject: Re: End-Of-Support OpenVMS7.1-28 Message-ID: <5cnmg09646uqcfvp2jo898gq32nb34p96j@4ax.com>  H On 30 Jul 2004 07:50:27 -0700, bob@instantwhip.com (Bob Ceculski) wrote:  o >gerard.rokx@niixx.com (Gerard Rokx) wrote in message news:<9ea35c1a.0407292221.25d1593d@posting.google.com>... ? >> One of our customers is running the following configuration:  >> - AlphaServer800  >> - OpenVMS 7.1-2 >>  8 >> What is the end-of-support date for these components?3 >> What is the end-of-support date for OpenVMS 7.3?  >>   >>  
 >> Thanks,	 >> Gerard  > 7 >we are still on 7.1-1H2 and get support ... it is on a 8 >best basis, but they do not have to move if they do not" >need to and still get support ...  M This is a very important point that Bob makes. If you have a support contract L then you get support. If the version you are running is no longer officiallyP supported that doesn't mean that they put the phone down on you. Support is on aO best efforts basis but don't forget that with an older version if you encounter O a problem the more likely is that it has been seen before & a fix or workaround 
 is available.    -- Nigel Barker Live from the sunny Cote d'Azur    ------------------------------  % Date: Sun, 01 Aug 2004 13:11:22 -0400 2 From: "Stanley F. Quayle" <squayle@insight.rr.com>. Subject: Re: Multinet on VMS 5.5 please HELP !- Message-ID: <410CEBFA.9477.FA39165@localhost>   0 > > I already have downloaded the 55 Mb archive.> > > I don't know how to transfer it to my virtual VAX/VMS .... [...] D > If the host o.s. could access COM1 and VMS/SIMH access COM2, couldH > kermit in ecah instance run over a null-modem serial cable between the > two COM ports at 115200 baud?   2 That would be one choice.  If you're very patient.  F You could burn it on a CD and mount the CD from the VAX environment.  F There used to be an ISO 9660 reader for VMS back in V4.7 days.  Can't  find it on the net, tho...  @ You could install DECnet on a Linux system and send it that way:'    http://linux-decnet.sourceforge.net/   = You could use the Poor Man device driver with a Linux system: 9    http://linux-decnet.sourceforge.net/poormanseries.html   E At one time, you could get a version of Pathworks for PC which would  
 speak DECnet.   C Get a friendly person to convert it to a container file, and mount  ? that as another disk drive.  [Shameless Plug (tm) Alert]  Your  - friendly CHARON-VAX reseller could do that...   
 --Stan Quayle  Quayle Consulting Inc.  
 ----------- Stanley F. Quayle, P.E. N8SQ  +1 614-868-1363 3 8572 North Spring Ct., Pickerington, OH  43147  USA 0 stan-at-stanq-dot-com       http://www.stanq.com   ------------------------------  $ Date: Sun, 1 Aug 2004 11:54:18 +0200! From: "hrvoje" <ulysses@kset.org>  Subject: Q:security (DECNET)? ) Message-ID: <ceiek6$8l9$1@ls219.htnet.hr>    Hello,       sorry but I'm newbie :)       J one friend works for company which uses DECNET with DDCMP and is trying toK persuade me that no additional data encryption is necessary because he uses / some inherent protection in this two protocols?       : Is data encrypted by default in this protocol combination?      * how hard would it be to sniff the network?       thnx in advance    ------------------------------  # Date: Sun, 01 Aug 2004 13:58:27 GMT ) From: Antonio Carlini <arcarlini@iee.org> ! Subject: Re: Q:security (DECNET)? & Message-ID: <410CE8DA.1040809@iee.org>  < > Is data encrypted by default in this protocol combination?   No  , > how hard would it be to sniff the network?    * Trivial, if you can intercept the traffic.  8 They may have some underlying envryption on the physical: medium, though. There was hardware available from DEC (and+ probably third parties) that could do this.    Antonio    ------------------------------   Date: 1 Aug 2004 09:08:46 -0500 - From: Kilgallen@SpamCop.net (Larry Kilgallen) ! Subject: Re: Q:security (DECNET)? 3 Message-ID: <Ed$H$nlkHx13@eisner.encompasserve.org>   M In article <ceiek6$8l9$1@ls219.htnet.hr>, "hrvoje" <ulysses@kset.org> writes:   L > one friend works for company which uses DECNET with DDCMP and is trying toM > persuade me that no additional data encryption is necessary because he uses 1 > some inherent protection in this two protocols?  >  >  > < > Is data encrypted by default in this protocol combination?  H No, but there is additional authentication security - a password send in the clear can be required.  , > how hard would it be to sniff the network?  E DDCMP is not a "network", it is a point-to-point link.  So the skills F needed to sniff the connection are largely hardware related (including* obtaining physical access to the circuit).   ------------------------------   Date: 1 Aug 2004 00:40:23 -0700 / From: johnhreinhardt@yahoo.com (John Reinhardt) % Subject: Which IP Networking Package? < Message-ID: <5d708ac7.0407312340.1db8849@posting.google.com>  C If you could pick any of the following 3 IP networking packages for E your home VMS (Alpha) system(s), which would you choose and why?  The D choices are HP TCP/IP, Process TCPware and Process Multinet.  If youC were going to expose your system to the internet as a Web/Mail/List % server would that change your choice?    ------------------------------   Date: 1 Aug 2004 06:45:03 -0700 ( From: bob@instantwhip.com (Bob Ceculski)) Subject: Re: Which IP Networking Package? = Message-ID: <d7791aa1.0408010545.128f9636@posting.google.com>   s johnhreinhardt@yahoo.com (John Reinhardt) wrote in message news:<5d708ac7.0407312340.1db8849@posting.google.com>... E > If you could pick any of the following 3 IP networking packages for G > your home VMS (Alpha) system(s), which would you choose and why?  The F > choices are HP TCP/IP, Process TCPware and Process Multinet.  If youE > were going to expose your system to the internet as a Web/Mail/List ' > server would that change your choice?   8 TCPware hands down ... we tested all three againset each8 other with purveyor and TCPware was the clear winner for6 response time ... also it is the only IP stack for VMS; that is based on the VMS kernel ... it has all the features 8 multinet has, plus has Decnet Phase IV over IP which the others don't ...   ------------------------------    Date: 01 Aug 2004 07:50:12 -0700( From: Javier Henderson <javier@KJSL.COM>) Subject: Re: Which IP Networking Package? - Message-ID: <86d62a6hgb.fsf@skylane.kjsl.com>   * bob@instantwhip.com (Bob Ceculski) writes:  u > johnhreinhardt@yahoo.com (John Reinhardt) wrote in message news:<5d708ac7.0407312340.1db8849@posting.google.com>... G > > If you could pick any of the following 3 IP networking packages for I > > your home VMS (Alpha) system(s), which would you choose and why?  The H > > choices are HP TCP/IP, Process TCPware and Process Multinet.  If youG > > were going to expose your system to the internet as a Web/Mail/List ) > > server would that change your choice?  > : > TCPware hands down ... we tested all three againset each: > other with purveyor and TCPware was the clear winner for8 > response time ... also it is the only IP stack for VMS= > that is based on the VMS kernel ... it has all the features : > multinet has, plus has Decnet Phase IV over IP which the > others don't ...  D Huh? MultiNet most certainly has DECnet over IP, plus it has its ownD IP instead of DECnet, where it looks like DECnet to the applications= but it uses IP as the underlying transport. This is good over  slow/latent/lossy links.   -jav   ------------------------------  * Date: Sun, 1 Aug 2004 12:30:54 +0000 (UTC)! From: JKB <knatschke@chezmoi.com> - Subject: [Announce] FreeVMS boots under bochs < Message-ID: <slrncgpoju.bgk.knatschke@grossebaf.systella.fr>   	Hello,   ; 	Now, FreeVMS (0.0.54) is able to boot under Bochs (an i386 ) 	emulator). You can found a disk image at 6 	http://www.systella.fr/~bertrand/FreeVMS (10 Mbytes).  	 	Regards,    	JKB   ------------------------------  * Date: Sun, 1 Aug 2004 09:44:43 +0000 (UTC)! From: JKB <knatschke@chezmoi.com> ; Subject: Re: [Somewhat OT] What your non-OVMS machines run? < Message-ID: <slrncgpesb.bgk.knatschke@grossebaf.systella.fr>   Le 01-08-2004,  propos de3 Re: [Somewhat OT] What your non-OVMS machines run?, ,  Alex van Denzel crivait dans comp.os.vms : > Undisclosed wrote: > J >> personal ones or ones you administer for non-work purposes, of course, @ >> since it would be a little cheesy to ask about work machines. >  > Uhm, > " > HP9000's with NextStep and HP-UX5 > VAXen (micro- and -station) with OpenVMS and NetBSD . > Alpha's with OpenVMS, NetBSD and Windows NT4 > SGI with IRIX , > Sun (Sparcs) with SunOS/Solaris and NetBSD > IBM RS/6000 with AIX > IBM PC Server with OS/2 # > PeeCees with NetBSD, Windows 98SE 8 > Some 16- and 8-bitters with whatever their proms offer >  > Or is this just boasting?  >  > Alex.  > ? > PS, at work I 'just' have a WinXP and a Debian/GNU Linux box.   C 	PC's :  K6-III/400 runing Linux 2.6, PII/333 trying to run FreeVMS 6 	(http://ww.systella.fr/~bertrand/FreeVMS/indexGB.htmlE 	today, I have a trouble with [vms$common.sysexe]loginout when kernel  	is booting...);   	PWS500 runing Tru64;  	 $ 	Some sparc32 runing Linux Debian...  	 	Regards,    	JKB   ------------------------------   End of INFO-VAX 2004.423 ************************                                                                                                                                                                                                                                                                                                                                                                                                                                   Darrell Burkhead <burkhdr@WKUVX1.WKU.EDU>    Architecture: VAX,AXP    # of parts:   -    Language:     BLISSP -------------------------------------------------------------------------------- MGPCXo!    Version:      V2.2, 4-FEB-2002P9    Description:  Read and write MS-DOS floppies under VMS-!    Author:       Madison, Goatley-    Architecture: VAX,AXP    # of parts:   -    Language:     BLISSP --------------------------------------------------------------------------------	 MG_FINGER !    Version:      V1.3, 3-OCT-1996rB    Description:  MadGoat FINGER client and server for VMS (NETLIB)4    Author:       MadGoat Software (Madison, Goatley)    Architecture: VAX,AXP    # of parts:   -    Language:     BLISS32P -------------------------------------------------------------------------------- MLSEARCH"    Version:      V3.1, 19-FEB-1998?    Description:  SEARCH mail files and folders for text strings-<    Author:       Kevin Ashley (modified by Goatley & Zinser)    Architecture: VAX,AXP    # of parts:   -    Language:     FORTRANP -------------------------------------------------------------------------------- MLU021"    Version:      V2.1, 26-APR-1994D    Description:  Media Loader Utility -- DCL access to media loaders7    Author:       Mickey Lane <lane@elwood.enet.dec.com>-    Architecture: VAX,AXP    # of parts:   -    Language:     VMSINSTAL kitsAP -------------------------------------------------------------------------------- MMKy#    Version:      V3.9-9, 3-MAY-2004VB    Description: 