[HECnet] Tops-20 ANONYMOUS FAL Preliminary Testing Results/DAP Query

On Dec 20, 2019, at 1:12 PM, Thomas DeBellis <tommytimesharing at gmail.com> wrote: I have been working with a kind volunteer who is using OpenVMS Alpha. It's been quite productive. While I haven't run into any security exposures, yet, the experience has enabled me to find a few things to tweak up. For example, the VMS logging and reporting was clearly superior to what was being put in the FAL log (which wasn't even timestamped and didn't have the requested file name). We ran into some interesting behavior. When ANONYMOUS access is restricted to the stand-in user and its subdirectories, wildcard listing requests that are outside of that lexical scope do not report any errors but rather return zero files (none). That was puzzling because the part of the code that did the access check was clearly doing the reject with appropriate return values.

Further analysis showed that in the main loop for stepping wildcards, a reject causes the file in question to be skipped; nothing is actually done with the return values. I believe this may be intended behavior for two reasons. The first is that if the wildcard includes files to which the ANONYMOUS user does legitimately have access, it's friendlier to report those as opposed to stopping everything. The other reason I believe has to do with DAP itself; I don't think you can't return more than one return value per ACCESS request, even with a wildcarded file specification. So perhaps this isn't a bug so much as an unintended consequence? Does anybody know what the behavior should be? At any rate, I don't believe the current behavior is 'informative'. What I'm thinking of doing is saving the last error code and returning that if the count of files returned in list is zero. Otherwise, the user had something to look at. Do I have any volunteers who operate something besides VMS? I'd be interested in RSX(+), IAS, RSTS and OS-8. They never did DECnet on RT-11, did they?