Operating System - OpenVMS
1748179 Members
4120 Online
108758 Solutions
New Discussion юеВ

Re: Why is the telnet client installed with OPER privilege?

 
David Jones_21
Trusted Contributor

Why is the telnet client installed with OPER privilege?

What operations would a telnet client do that require OPER privilege. Does it have to do with the reverse telnet capability?
I'm looking for marbles all day long.
6 REPLIES 6
John Gillings
Honored Contributor

Re: Why is the telnet client installed with OPER privilege?

David,

Simple answer "because". The definitive answer will be in the sources, but if you don't have a copy, you may be able to get some idea by enabling privilege auditing for OPER success (beware voluminous output). Another option would be to enable privilege auditing for OPER failure, then remove the privilege from the installed image and try running it.

Is this idle curiosity, or has an auditor seen it and assumed it's a hole that needs plugging?

(I agree OPER is a curious privilege to give the telnet client, but if that's the way it comes out of the box, why waste your time trying to work out why?)

A crucible of informative mistakes
Wim Van den Wyngaert
Honored Contributor

Re: Why is the telnet client installed with OPER privilege?

I installed it without priv and the normal telnet still works with an unprived user.
May be the command after a telnet without options require it ?

I thought that may be it was for giving oper messages. So I enabled them. Worked without the priv. So that's not it.

fwiw

Wim

Wim
Wim Van den Wyngaert
Honored Contributor

Re: Why is the telnet client installed with OPER privilege?

BTW : there were no file access failures (enabled that in audit).

Wim
Wim
David Jones_21
Trusted Contributor

Re: Why is the telnet client installed with OPER privilege?

The reason I ask is because the tcpip$telnet popped up when I scanned my system for images with privileges that have SMGSHR in their shareable image list. Until the SMGSHR image get patched, I'm denying user access to such programs that are subject to its buffer overflow vulnerability (use SMG$READ_COMPOSED_LINE). The telnet client is a program that users would be expected to run, and uninstalling the image if possible would be a preferred mitigation. (OTOH, everyone should be using SSH rather than telnet anyway).
I'm looking for marbles all day long.
Wim Van den Wyngaert
Honored Contributor

Re: Why is the telnet client installed with OPER privilege?

I noticed that long ago telnet was not installed with priv. May be it has something to do with the Kerberos stuff that was added (of which I know nothing).

Wim
Wim
Hein van den Heuvel
Honored Contributor

Re: Why is the telnet client installed with OPER privilege?

David,

I assume you noticed in the C.O.V discussion that I created a patch for the Alpha 8.3 version of SGMSHR ?!
Just use that while HP works on the reeal thing?

(If there are discrepancies with the version you use, then for mere money I'll create a similar patch for that. Just point me to an FTP site. :-)

Btw... 1
Andy G send some of us an Email yesterday indicating an offical patch has been made a while back and will be made available on ITRC 'real soon now'.

Btw... 2
It was kinda fun to create a binary patch for an Alpha image. Luckely I found some bogus code which I could hijack for the solution.

Cheers,
Hein van den Heuvel
HvdH Performance Consulting