[HECnet] Tops-20 ANONYMOUS FAL Preliminary Testing Results/DAP Query

[Thomas DeBellis]

I have been working with a kind volunteer who is using OpenVMS Alpha.  
It's been quite productive.

While I haven't run into any security exposures, yet, the experience has 
enabled me to find a few things to tweak up.  For example, the VMS 
logging and reporting was clearly superior to what was being put in the 
FAL log (which wasn't even timestamped and didn't have the requested 
file name).

We ran into some interesting behavior.  When ANONYMOUS access is 
restricted to the stand-in user and its subdirectories, wildcard listing 
requests that are outside of that lexical scope do not report any errors 
but rather return zero files (none).  That was puzzling because the part 
of the code that did the access check was clearly doing the reject with 
appropriate return values.

Further analysis showed that in the main loop for stepping wildcards, a 
reject causes the file in question to be skipped; nothing is actually 
done with the return values.  I believe this may be intended behavior 
for two reasons.  The first is that if the wildcard includes files to 
which the ANONYMOUS user does legitimately have access, it's friendlier 
to report those as opposed to stopping everything.

The other reason I believe has to do with DAP itself; I don't think you 
can't return more than one return value per ACCESS request, even with a 
wildcarded file specification.  So perhaps this isn't a bug so much as 
an unintended consequence?  Does anybody know what the behavior should be?

At any rate, I don't believe the current behavior is 'informative'.  
What I'm thinking of doing is saving the last error code and returning 
that if the count of files returned in list is zero.  Otherwise, the 
user had something to look at.

Do I have any volunteers who operate something besides VMS?  I'd be 
interested in RSX(+), IAS, RSTS and OS-8.  They never did DECnet on 
RT-11, did they?