As a 'security risk', has IBM explicitly been asked to fix this item and said they'd prefer just to leave a gaping hole? Or is it like many things, everyone knows it, but everyone thinks someone else has followed up on it, and it must just be 'the way it must be'... Remember, IBM does not monitor this list for bugs to fix... At least, I'm not expecting them to!
IBM seems to respond to TechConnect issues -- Log it! ------------ It is a security hole, well-known and by design. > From: john reid > I notice that an ls -lt in the u1 /uv /catdir directory indicates that > the *PROGRAM.NAME is updated apparently each time an execution > happens, at least that is what it looks like to me. Anyone know if or > why that is happening? Every time a globally catalogued program is executed, a counter is incremented. Run MAKE.MAP.FILE then look at the REF attribute <3> in &MAP& to see the counter. A simple "MAP" command displays it. This means that catdir files are writeable by all and a sneaky programmer can slip a nasty version of a program into catdir. I do not understand why Universe insists on keeping that counter buried in the object file. Why not just use a simple companion "catdir-ref" file or dir for the counter? It sounds more efficient, too. ------- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
