Date:         Mon, 18 Dec 1995 16:15:00 MST
Reply-To:     The NOMAD2 Discussion List
Sender:       The NOMAD2 Discussion List
From:         Walters Chris
Subject:      Securing a db against knowledgable opponent

OK NOMADers, here's a problem

I am the new system administrator for a shared db under VM. I need to
protect the db from attacks by the previous sysadmin, who knows NOMAD pretty
well. Users of the system (who have the DBAPASSword) ask him to write
programs that change the db contents. My menu-driven system also has options
that change the db contents (using CHANGE, INSERT, REPLACE, DELETE
commands).

I can't use a REMOVE in the db profile to remove the C/I/R/D commands
because my menus use them too.

I tried renaming the db, PRESCANing all procedures that do a DA XXXX OWNERID
YYYYY and hiding the source code, but DA XXXX OWNERID YYYYY is still visible
in the N2PROC. So he can get the database name.

I tried moving all procedures containing DA XXXX OWNERID YYYYY  from the
public 192 disk to the 191 disk of the owner account to hide them, but the
procedures can't be found by VM when called. Seems like you can't execute
code stored on the same disk as the shared db, probably because you don't
access that disk directly. So I can't hide them either.

No telling what accounts these rougue procedures live on so can't put a
screen on &userid in place in the db profile.

So, any suggestions? Please email replys directly to me - he may very well
be on this list!

Chris Walters
CIDM, Motorola GSTG
p23610@email.mot.com
back to index