Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!decvax!tektronix!hplabs!sri-unix!RCONN@Simtel20.ARPA From: RCONN@Simtel20.ARPA Newsgroups: net.micro.cpm Subject: RBBS/ZCPR2 Message-ID: <12218@sri-arpa.UUCP> Date: Wed, 8-Aug-84 13:34:00 EDT Article-I.D.: sri-arpa.12218 Posted: Wed Aug 8 13:34:00 1984 Date-Received: Fri, 10-Aug-84 08:12:58 EDT Lines: 25 From: Richard ConnYes, I concur that with programs like SWEEP, security is basically lost if you can get to them. ZCPR3 offers a distinct advantage in this arena in that for secure systems with the DU form disabled, then the DIR form has to be used. Each named directory has a password associated with it. So if the user types ROOT:SWEEP, then if ROOT has a non-blank password, the user is FORCED to provide a correct password before the system will log him in. If he does not provide the correct password, the ROOT: reference is changed (internally) to the current directory. The same is true for commands like TYPE DIR:PASSFILE.TXT, since even for references in the argument fields, the password protection holds under ZCPR3. "Dangerous" commands should be placed into a named directory which is not in the command search path. If you want even more security, have the login sequence DISABLE the reference in the named directory to this "secure" directory, so its NAME is not even available to the user. With DU disabled and no NAME, a directory CANNOT be referenced unless a tool like SWEEP which bypasses the protection system is used, and hopefully the path protection with the named directory reference will stop that. Rick