Multics Technical Bulletin                                MTB-686
More Secure SAC

To:       Distribution

From:     Benson I. Margulies

Date:     10/25/84

Subject:  Improving the Security of SAC and the Admin Password

1 ABSTRACT

     The  send_admin_command  facility  does  not  provide a
     secure  audit  trail of  the  senders of  commands, and
     leaves  the   admin  password  subject   to  un-audited
     changed.  This MTB describes changes to resolve both of
     these problems.

Comments should be sent to the author:

via Multics Mail:
   Margulies at either System-M, MIT, or CISL-SERVICE.

via Forum:
   >udd>m>mtgs>B2 on System-M

via telephone:
   (HVN) 261-9333, or
   (617) 492-9333

_________________________________________________________________

Multics  project  internal  working  documentation.   Not  to  be
reproduced or distributed outside the Multics project without the
consent of the author or the author's management.


MTB-686                                Multics Technical Bulletin
                                                  More Secure SAC

2 >SC1>COMMUNICATIONS IS AN INSECURE DESIGN

>sc1>communications  is,  I  believe, the  oldest  permanent data
structure in  the system.  Unlike  other shared data  bases which
are   now   managed  with   the   install  mechanism   or  rings,
communications  is  read-write  to  all  persons  trusted  to use
send_admin_command.    One   of  these   users   can,  therefore,
arbitrarily change a command sent  by another, the recorded ID of
the user who  sent the command, the operator  admin password, and
the old default pdir quota values.

3 REPLACING COMMUNICATIONS

There are three items in >sc1>communications:  send_admin_command
support,  the operator  admin password,  and default  process dir
quota values.

3.1 send_admin_command

Send_admin_command  is  logically  an  as_request  function.  The
major difficulty  in replacing sac with  an as_request service is
that  the execution  of sac commands  must be  inhibited in admin
state.(1)   V4 message  segments do  not store  process id's with
mesages.  as_request_server_ uses the  process id from the wakeup
accompanying the message segment  message.  Each time it receives
a  wakeup,  it reads  the  message specified  by  the 72  bit IPC
message and processes it.  This  design has two serious problems.
First, the  program will never  clear out messages  whose wakeups
have been lost.  Second, there is  no place to store a process id
when deferring the processing of a message.

_________________________________________________________________

(1) There is a confusing  and important terminology here.  "admin
    state" is  entered by the Initializer  whenever it reattaches
    its    switches   to    avoid   the    message   coordinator.
    sc_stat_$admin_switch is  set for admin  state.  "admin mode"
    is the situation  when the Initializer is in  admin state and
    is  listening for  Multics commands  typed on  an Initializer
    terminal         or        the         system        console.
    sc_stat_$admin_listener_switch is set  for admin mode.  Admin
    state may include borrowing from the message coordinator with
    borrow_tty_from_mc_.  All Initializer  commands (primarily in
    execute_sc_command_) that read responses  to queries borrow a
    terminal.  The server  for send_admin_command commands enters
    a admin state,  but will not borrow a  terminal in the design
    described here.


Multics Technical Bulletin                                MTB-686
More Secure SAC

Version  5  message  segments  remove  this  problem  by securely
storing a process id with each message.

While  re-implementing  send_admin_command,  we  can  improve the
condition   handling  and   input  handling   properties  of  the
environment in which sac commands are executed.  Attempts to read
input  while  executing a  sent command  will abort  the command.
Output data will be logged.

Some features of sac will be removed.  It will not be possible to
implement sac -cancel.  This facility  can be restored at a later
time by providing a command to cancel as_requests.

A  list_as_requests  command will  be  provided.  This  will show
pending  sac  commands, as  well  as any  other  as_requests that
happen to be  in the message segment.  For  this release, it will
have no fancy selectivity (-user/-admin/-id), but it will be able
to use own access to the message segment.

Name:  list_as_requests

Function:   Displays  any  as_requests currently  pending  in the
as_request queue message segment, >sc1>as_request.ms.

Access  required:   o access  to as_request.ms  to see  one's own
messages, r access to see anyone else's.

The new command writeup for send_admin_command follows here:


MTB-686                                Multics Technical Bulletin
                                                  More Secure SAC

Name:  send_admin_command, sac

Function:  Sends  a command line  to the Initializer  process for
execution.

Syntax:
send_admin_command {-control_args} command line without quotes.

Where:

command_line_without_quotes Is  a command line to  be sent to the
          initializer.   To  send  special  characters  you  must
          include them, or the whole command line, in quotes.  If
          the first  character of the  command is a  "-" command,
          the "-string" control argument must be used.

control args may be chosen from the following:

-no_wait, -nwt
          The  command  returns to  the listener  as soon  as the
          command_line has been sent to the Initializer.

-wait WAIT_TYPE, -wt WAIT_TYPE
          This  control  argument specifies  whether  the command
          will wait for any  acknowledgement from the Initializer
          before  returning  to the  listener.  WAIT_TYPE  may be
          chosen from the following list:

     start
          The  command waits  for the  Initializer to acknowledge
          receipt  of the  command line  before returning  to the
          listener.

     finish
          The  command  waits  for   the  Initializer  to  finish
          execution of  the command line before  returning to the
          listener.  This is the default.

-notify_by_message, -ntmsg
          The   user  will   receive  a   brief  notification  by
          interactive message in the following cases:
          * -no_wait  is specified, and execution  of the command
          line is denied due to lack of access.
          * The command completes execution.

          If the user's  mail table entry can be  used to deliver
          an  interactive  message, it  will.   If not,  the full
          User.Project specification will  be used.  The -address
          control   argument  does   not  apply   to  interactive
          messages.


Multics Technical Bulletin                                MTB-686
More Secure SAC

-no_notify_by_message, -nntmsg
          The   user   will  receive   no   interactive  messages
          concerning the  execution of the command  except in the
          special  case  that  -no_wait   is  specified  and  the
          execution  of  the command  is  denied due  to  lack of
          access.

-notify_by_mail, -ntmail
          The user will be sent mail in the following cases:
          * -no_wait  is specified, and execution  of the command
          line is denied due to lack of access.
          * The command completes execution.

          By default,  the mail will  be send to  the destination
          specified in mail table for the user's personid.  If no
          destination is found there,  the full user.project will
          be  used.   The  default  may  be  overridden  with the
          -address control argument.  If the command is executed,
          the  mail  will  contain  all  output  produced  on the
          error_output, user_output, and user_i/o switches during
          the command execution.

-address MAIL_ADDRESS
          Specifies that  mail sent for notifications  be sent to
          the  mail  address   specified  by  MAIL_ADDRESS.   See
          mail_addresses.gi.info for more information.

-string
          The  rest of  the command  line will  be interpreted as
          part of  the command to  send whether or  not it begins
          with a "-".

-query, -qy
          The command line is printed on the user's terminal, and
          the  user is  queries "Do you  want to  send this admin
          command  line?".   This  can  be used  to  validate the
          effects of abbrevs and active functions.

-no_query, -nqy
          No  query  is posed  before  sending the  command line.
          This is the default.

Notes:

RW access to >sc1>admin_acs>send_admin_command.acs is required to
use this command.

SUMMARY OF COMMAND EXECUTION
1) The command line is sent to the Initializer.


MTB-686                                Multics Technical Bulletin
                                                  More Secure SAC

2a) If  -no_wait  is  specified,   the  command  returns  to  the
     listener.  Skip to step 4.

2b) If  -wait  start or  -wait finish  is specified,  the command
     waits for Initializer to  acknowledge receipt of the command
     line.  If  the Initializer rejects execution  of the command
     line, an explanatory message is printed.

3a) If  -wait  start is  specified,  the command  returns  to the
     listener.

3b) If  -wait  finish  is  in effect,  the  command  waits  for a
     notification from the Initializer that execution of the sent
     command is complete.  A message of the form:

        send_admin_command:  Completed command OTHER_NOTES.

     is printed.  OTHER_NOTES can include the strings:

        "with errors"  if output was written  on error_output, or
     the command_error condition was signalled.
        "Finish  command signalled."   if an attempt  was made to
     terminate the process during execution of the command.
        ERROR_CODE_MESSAGE if  the Initializer returned  an error
     code describing a problem with execution of the command.
        "Command line  aborted by error."  if  a condition signal
     caused the command line execution to be aborted.

4) If -notify_by_mail or -notify_by_message is in effect, mail or
     a  message  arrives  from  the Initializer.   Both  mail and
     messages include the summary described in step 3.  Mail will
     include the complete output of the command line execution.

3.2 admin password

The admin password  will be moved into the PNT,  where all of the
other  passwords  are stored.   This  will automatically  give us
auditing of its changes and the like.

It  is  not desirable  to  use new_user  to manipulate  the admin
password and any  other special user names that  we define in the
future.  We don't want to have  aliases or mail table entries for
these, and most of the fields in the pnt_entry are not relevant.

A new  command, set_special_password, will be  added.  Its syntax
is:

  set_special_password SPECIAL_ID {-control_args}


Multics Technical Bulletin                                MTB-686
More Secure SAC

where:

SPECIAL_ID is a name of a  special password.  The current list of
          special names is:
          operator_admin_mode   for   the  operator   admin  mode
          password.

control args may be chosen from:

-none  sets  the  specified  ID to  have  no  password.   For the
          operator_admin_password, setting -none will cause admin
          mode to be entered without asking for a password.

-prompt causes the command to prompt, twice, for the value of the
          password.  This is the default.

-password PASSWORD causes the password  PASSWORD to be set.  This
          should be used ONLY in the accouting_start_up exec_com.
          It is NOT recommended for general use.

3.3 default pdir quota values

Communications  was the  original location of  pdir quota values.
Today, these  values are respected, though  there are no programs
to  display  or  set  them.   Two  new  installation  parameters,
"default_pdir_seg_quota  (df_pdsq)"  and  "default_pdir_dir_quota
(df_pddq)" will be added to replace the values in communications.
ed_installation_parms   will   read   the   old   value   out  of
communications  for  the  seg  quota,  and  the  dir  quota  will
arbitrarily  default to  1000.  No changes  will be  made at this
time  to respect  the dir quota  value, since  ring zero act_proc
knows nothing of directory quota.

4 A GENERAL SUBROUTINE FOR SENDING AS REQUESTS.

Currently,  all "users"  of as request  call message_segment_ for
themselves.   This  duplicates code,  and  makes it  difficult to
reliably find  them all.  The following  subroutine will be added
to improve this situation:

Name:  send_as_request_

Function:  Contains entrypoints that  send messages to the system
Answering Service Request server.

Entry:  send_as_request_$block

Function:  sends an as_request, and  blocks to await the system's


MTB-686                                Multics Technical Bulletin
                                                  More Secure SAC

reply.

Syntax:

declare  send_as_request_$block  entry  (ptr,  bit  (72) aligned,
fixed bin (35));
call  send_as_request_$block  (as_request_ptr,  as_request_reply,
code);

where:

as_request_ptr  is  a pointer  to standard  as_request structure.
          as_request structures  begin with a  header declared in
          as_request_header.incl.pl1.    Declarations   for  most
          as_request    info    structures     are    found    in
          as_request.incl.pl1.   We  do  not  recommend  that any
          application   code    send   as_requests.    Subroutine
          interfaces   are  available   for  all   the  supported
          as_request facilities.

as_request_reply is  the event message returned  by the system in
          reply to the request.  (output)

code is a standard system status code.

Entry:  send_as_request_$no_block

Function:  sends an  as request message to the  system as request
server, and does not block to await a reply.

Syntax:

declare send_as_request_$no_block entry (ptr, fixed bin (35));
call send_as_request_$no_block (as_request_ptr, code);

where the parameters are as described above.

5 TESTING

All appropriate  cases will be tested.   An interface that allows
sc_admin_command_, the sac command execution server, to be run in
a user's process for testing will be added.