I'm not sure there is a security risk if your system is setup correctly. Your "object code" needs to be secured so that root only can update.
When you run a program isn't it the sbcs (Shared Basic Code Server) that updates the run counter? And sbcs would have permissions. Can someone on the list do a test? 1. Create a test program like PRINT "Hello World!" 2. Secure the run-time code so that root only has update permissions i.e. rw-r--r-- 3. Login as a non root user 4. Run Program 5. Report the results back to the list Thank you, David A. Green DAG Consulting (480) 813-1725 www.dagconsulting.com It is a security hole, well-known and by design. > From: john reid > I notice that an ls -lt in the u1 /uv /catdir directory indicates that > the *PROGRAM.NAME is updated apparently each time an execution > happens, at least that is what it looks like to me. Anyone know if or > why that is happening? Every time a globally catalogued program is executed, a counter is incremented. Run MAKE.MAP.FILE then look at the REF attribute <3> in &MAP& to see the counter. A simple "MAP" command displays it. This means that catdir files are writeable by all and a sneaky programmer can slip a nasty version of a program into catdir. I do not understand why Universe insists on keeping that counter buried in the object file. Why not just use a simple companion "catdir-ref" file or dir for the counter? It sounds more efficient, too. ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/
