A spirited discussion ensued on HP3000-L about the advisability of disabling PARM=-1 for logons with some MPE heavyweights chiming in on the side of "Don't do it."

First, a little background. Since the very early days of MPE/XL, users have been able to sign on as "HELLO ..... ;PARM=ciparm" where "ciparm" is one of the allowed values for running the command interpreter as a program (0, 1, 2, 3, 4, 5 for any user and -1, -2 for users with SM capability; any other value is treated as 0). When passed to the root command interpreter via HELLO, 2 and 4 are equivalent to 0 while 3 and 5 are equivalent to 1. For example, with PARM=1 the session will terminate after processing the INFO= string or, if there is no INFO= string, after executing the first user-supplied command. Note that INFO="...";PARM=1 is therefore a replacement for the old command logon in Classic MPE.

If, however, a user with SM capability signs on with PARM= -1, or -2, then the CI banner and the welcome message is suppressed and UDCs are NOT cataloged. Thus, logon UDCs are not executed since they are not even known. If you rely on a security technique that uses logon UDCs as many people did and perhaps still do, then your security system is breached, especially if you stopped putting passwords on "MANAGER.SYS". So, there was considerable weight behind a request that HP provide some way to disable PARM= -1 or -2 for logons. MPE/iX 5.0 introduced such a way (I guess there was no perceived rush). Note: most commercial security packages use AIF Procedure Exits now and do not rely on logon UDCs.

The rational for allowing PARM=-1 in the first place? From an HP publication: "This is helpful in allowing a system manager or HP Technical Consultant to log into a system that is not allowing any user to log on." If you disable PARM=-1, you could have a serious problem on your hands some day. One consultant commented, "I've had to dial in and rescue users a number of times over the years ... generally with success. The two times this year that I actually failed to help the user was when they had done enforcelogonudcs=on."

However, it was pointed out that MANAGER.SYS is THE target for hackers, and if your system is accessible from the internet and your only security is provided by logon UDCs, you may be vulnerable to people trying to HELLO MANAGER.SYS;PARM=-1 until they guess your passwords.

So, what should you do? And suppose your only current avenue for enforcing security (beyond simple MPE passwords) is with logon UDCs? It was determined that you cannot remove MANAGER.SYS from your system. Nor can you remove SM from MANAGER.SYS. One HP’er came up with an interesting solution: Create a SM user that mirrors the capabilities of MANAGER.SYS but is known only to authorized personnel and then remove IA capability from MANAGER.SYS so that HELLO MANAGER.SYS... is not allowed because of insufficient capability.

Oh yes, if you still want to disable PARM=-1 (and PARM=-2) logons, i.e. always enforce logon UDCs, then do the following:

:HELLO MANAGER.SYS

:SYSGEN

MI

SY ENFORCELOGONUDCS=ON

HO

EXIT

K

EXIT

Reboot with START NORECOVERY GROUP=config, where "config" is the configuration group you kept the changes to (usually "CONFIG").