I think you have the answer. Someone would have to gain access into your system, and having done so, what would be the point of "sabotaging" something within universe to do something malicious? They already have access to your system. If it's someone internal, then I would imagine your hiring practices should be reviewed. Having said that, this would be a relatively easy fix to the code that reads/updates the catdir entry - though doing so you would lose access to that information via MAP.
______________________________________________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of "Stevenson, Charles" <[EMAIL PROTECTED]> Sent: Friday, December 16, 2005 10:47 AM To: <u2-users@listserver.u2ug.org> Subject: RE: [U2] global catdir question - security hole > David Wolverton > As a 'security risk', has IBM explicitly been asked to fix > this item and said they'd prefer just to leave a gaping hole? > Or is it like many things, everyone knows it, but everyone > thinks someone else has followed up on it, and it must just > be 'the way it must be'... Remember, IBM does not monitor > this list for bugs to fix... At least, I'm not expecting them to! > > IBM seems to respond to TechConnect issues -- Log it! I first _formally_ reported it in 1996, although I can't prove that at this point. I think there was a GTAR. I have also had personal conversations about it with several Vmark/Ardent/Informix/IBM people who were in a position to care or take action. I remember asking about it in a question/answer panel during the Ft. Lauderdale, 1998 national conference. So it has been a conscious decision to leave it as is for about a decade. (When was UV first implemented on NT? I do not remember how catdir's REF counter is implemented there.) I cannot imagine I am the only one who has ever complained. It is a glaring hole that everyone sees when they do the "ls -lt uv/catdir" that John Reid mentioned at the top of this thread. Or everyone who wondered how the &MAP&'s REF counter was incremented. I have not vigorously pursued it because those paying my bills, whose DBs I would be protecting, have not cared enough. I don't think the majority of companies worry about malicious attacks (from their own staff or contractors). Even SJ+'s PRC, the premier U2 software control tool, does not prevent malicious attempts to circumvent it. My own UV/RCS-based SCM effort tightens things down pretty well, but I haven't figure out how to protect catdir. I can only log changes to it. I'll take it to U2UG's Enhancement committee. cds ------- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ ------- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/