Driving a Discontinued Model with Joy
Cautions of a SM broadsword for every user

Security advice for MPE appears flameproof


Long ago, about 30 years or so, I got a contract to create an HP 3000 software manual. There was a big component of the job that involved making something called a desktop publishing file (quite novel in 1987). There was also the task of explaining the EnGarde/3000 security software to potential users. Yow, a technical writer without MPE hands-on experience, documenting MPE V software. 

Yes, it was so long ago that MPE/XL wasn't even in widespread use. Never mind MPE/iX, the 3.0 release of MPE/XL. All that didn't matter, because HP preserved the goodness of 3000 security from MPE V through XL and iX. My work was to make sense of this security as it related to privileges.

I'll admit it took yeoman help from Vicky Shoemaker at Taurus Software to get that manual correct. Afterward I found myself with an inherent understanding, however superficial, about security privileges on the HP 3000. I was far from the first to acquire this knowledge. Given another 17 years, security privileges popped up again in a NewsWire article. The article by Bob Green of Robelle chronicled the use of SM capability, pointed out by Vladimir Volokh of VEsoft.

Security is one of those things that MPE managers didn't take for granted at first, then became a little smug about once the Internet cracked open lots of business servers. Volokh's son Eugene wrote a blisteringly brilliant paper called Burn Before Reading that outlines the many ways a 3000 can be secured. For the company which is managing MPE/iX applications — even on a virtualized Charon server — this stuff is still important.

I give a hat-tip to our friends at Adager for hosting this wisdom on their website. Here's a recap of a portion of that paper's good security practices for MPE/iX look like.

Volokh’s technical advisory begins with a warning. “The user is the weakest link in the logon security system -- discourage a user from revealing passwords. Use techniques such as personal profile security or even reprimanding people who reveal passwords. Such mistakes seem innocent, but they can lose you millions."

His bullet points from the heyday of MPE still make good sense to follow, if you're managing a system in our homesteading and archiving era.
  • Passwords embedded in job streams are easy to see and virtually impossible to change -- avoid them.

  • Some forms of access are inherently suspect (and thus require extra passwords) or are inherently security violations. Thus, access to certain user IDs at certain times of day, on certain days of the week, should be specially restricted.

  • Many security violations can be averted by monitoring the warnings of unsuccessful violation attempts that often precede a successful attempt. If possible, change the usual MPE console messages so they will be more visible.

  • Leaving a terminal logged on and unattended is just as much a security violation as revealing the logon password. Use some kind of timeout facility to ensure that terminals don't remain inactive for long; set up all your dial-in terminals with subtype 1.

  • A useful approach to securing your system is to set up a logon menu which allows the user to choose one of several options rather than to let the user access MPE and all its power directly.

  • Blocking out MPE commands via UDCs with the same name will usually fail unless the command is SETCATALOG or SHOWCATALOG, or if you also forbid access to many HP subsystems and HP-supplied programs. This severely limits the usefulness of this method.

  • Remember that RELEASE-ing a file leaves it wide open for any kind of access; RELEASE files cautiously, and re-secure them as soon as possible.

  • Try to make it as easy as possible for people to allow their files to be accessed by others without having to RELEASE them. Thus, build all accounts with (r,w,x,a,l:any) so that allowing access to a group will be easier.

  • If a group is composed mostly of files that should be accessible by all users in the system or by all account users, build it that way. This will also reduce RELEASEs.

  • The ALTSEC command is useful for restricting access to files in a group to which access is normally less restricted.
  • Lockwords aren't all they're cracked up to be. Other approaches should be preferred.

  • You should only give OP capability to users who you trust as much as you would a system manager; to users who have no access to magnetic tapes or serial disks; or to users who have a logon UDC that drops them into a menu which forbids them from doing STOREs or RESTOREs.

  • You should give PM capability only to users who you trust as much as you would a system manager.

  • If any user has SAVE access to a group with PM capability, or write and execute access to any program file that resides in a group with PM capability, he can write and run privileged code.

  • Never RELEASE a program file that resides in a group which has PM capability.

  • Privileged programs must never call DEBUG unless their user is privileged, and must never dynamically load and call procedures from a user's group or account SL unless the user is privileged.

  • IMAGE/SQL security is not particularly useful except for protecting databases against unauthorized QUERY access. In fact, some degree of protection against unauthorized QUERY access can be given by using the DBUTIL "set subsystem" command to disallow any QUERY access or QUERY modification of a database.