HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

OpenVMS / Buffer Overflow

 
SOLVED
Go to solution
Mahmoud_1
Frequent Advisor

OpenVMS / Buffer Overflow

Dear All,
One of my customers sent me this question:
In UNIX systems there are a known problem (Buffer Overflow) which is any one can access the system with username ROOT by typing extra letters or commands after root while issuing the username so he can login to the system without password (Buffer Overflow).
So he wants to know if this problem exist in OpenVMS (The secure operating system)
Its urgent for this customer.
Regards
4 REPLIES
Jan van den Ende
Honored Contributor

Re: OpenVMS / Buffer Overflow

Mahmoud,

the short answer: NO that does not exist.

If you still do need a longer answer, which would include the technical explanation WHY that CANNOT exist in VMS, then please tell us tou want that as well.

hth.

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Mahmoud_1
Frequent Advisor

Re: OpenVMS / Buffer Overflow

Dear Sir.
Thanks for quick answer, and if possible let me know the long answer, Because my customer want details about this issue.
Best Regards
Jan van den Ende
Honored Contributor
Solution

Re: OpenVMS / Buffer Overflow

Mahmoud,

since you specifically mention the comparison with Unix, I looked up a discussion about that.

You can find the whole discussion on

http://groups.google.com/group/comp.os.vms/browse_frm/thread/e966d70b45d82085/69223e108e9909ad?q=keith+cayemberg+%26+design&rnum=1#69223e108e9909ad

but I took out the relevant part and appended that.

You will note that this particular text is written by an _IBM_ engeneer, so it should be considered to carry some more weight than if it were by "just another VMS" proponent.

(Keith: I know you will not grudge me quoting you. Thanks anyway)

hth.

Proost.

Have one on me.

jpe

Proost.


Don't rust yours pelled jacker to fine doll missed aches.
Hein van den Heuvel
Honored Contributor

Re: OpenVMS / Buffer Overflow



>>> In UNIX systems there are a known problem (Buffer Overflow) which is any one can access the system with username ROOT by typing extra letters or commands after root while issuing the username so he can login to the system without password (Buffer Overflow).

I seriously question that statement.
It looks like someone heard some security things some where at some times and pasted them all together into an English sounding sentence, but it is total nonsense IMHO.

I urge you to validate the statement before going on a wild goose chase.

I do not believe for one moment that there is a sinlge, more or less up to date, Unix implementation where you can still become root by just typing a bad username.
- Sure this may have happened to _some_ Unix at _some_ point in the past ( more than 10 year back?)
- not all Unixes are created equal(ly bad).
- Sure, buffer overflow can and have happened in Unix implementations leading to security risks... But even more so on Windows and also on VMS but much less so (and then notably in the Unixy components like web and tcp tools :-)
- Those Overflow problems tend to be MUCH more contrived than just typing in a funky username.

I'm with Jan that such problems are much less likely to happen under VMS due to the codign pratices deployed by VMS engineering, and application engineers alike:
- string descriptors
- multiple security levels
- extensive runtime library packages
- object protection (acl)
- open-nes: no "security though obscurity"
- QIO/RMS IO buffers layers

Good luck!
Hein.