[HECnet] Anonymous FAL (Tops-20)

Johnny Billquist bqt at softjar.se
Thu Jul 4 11:48:01 PDT 2019 

The one annoying detail of the account system in TOPS-20 is that user 
disk quotas are on a per directory basis. So you have to manually move 
your disk quota around for your subdirectories.

I doubt you could lift any of the RSX or VMS DECnet code over to 
TOPS-20. The RSX code is mostly MACRO-11, and the VMS DECnet code is 
rather closely integrated into VMS in general, I seem to have observed.

Also, no, VMS hobbyist license do not get you any sources.

   Johnny

On 2019-07-04 04:01, Thomas DeBellis wrote:
> Tops-20 is vastly different from Unix (and I believe also VMS) as to how 
> it manages user ids and accounts.  Parts of the authentication paradigm 
> are very tightly woven into the the file system.  Briefly,
> 
>   * A user id is a login-able directory (I.E., one that doesn't have a
>     password and is not set FILES-ONLY).  In addition to basic OS
>     restrictions which prevent you from viewing file system meta-data
>     unless you have appropriate authorization, an access control job
>     (ACJ) is layered on top of this which can even restrict privileged
>     users.
>   * Accounts are either validated out of a binary accounting file in
>     monitor space (which is compiled from ASCII source) or via the ACJ. 
>     Accounts can have multiple users or systems processes (such as
>     spoolers) creating billing records. Users can switch between
>     accounts on a per-job, per-fork and intra-program basis (a program
>     can decide to bill certain portions of its activity to different
>     accounts).
>   * The obvious benefit is that there is no password file to attack or
>     steal and you can't even tell that there is an accounting file;
>     probing passwords is monitored and a certain amount of intervention
>     is done.  It is /extremely/ fast. No /etc/passwd to grovel.
> 
> However, a deleterious side-effect is that once an id is created, it can 
> be used for _anything_, including online interactive login.
> 
> On a PANDA monitor, is possible to specify a user id as FTP-ONLY, but 
> neither the supplied 5 series ACJ nor the EXEC do anything with it.  
> Historically, the Tops-20 FTP server implemented ANONYMOUS usage by 
> parsing for the login user atom ANONYMOUS and then swallowing anything 
> for the password (what was typically supplied was an email addresses). 
> This was then hardwired into a local id.
> 
> Artifacts of this still exist in certain browers.  Guess who supplies 
> IEUSER@ as the email address password for ANONYOUS usage?
> 
> I recall that this is the approach that we had to use with Tops-20 FAL.  
> The Extended  Mode FTP server that I wrote is configurable via a file to 
> specify the underlying id and password.  More productization would 
> probably including having the ACJ enforce FTP-ONLY on LOGIN% or CRJOB% 
> and having the EXEC parse for and display FTP-ONLY.  Probably about two 
> weeks' part time work as I recall.  Might have to consider Batch policy.
> 
> One approach here could be to lift the ANONYMOUS code out of EFTPSR and 
> drop it into FAL and then do the changes to the ACJ and EXEC. I'm just 
> surprised none of the HECnet Tops-10 or Tops-20 nerds have done it 
> (there is some commonality in some of the sources).
> 
> Since Tops-20 has a BLISS compiler which implements BLISS COMMON (my 
> first training at DEC as an employee was to write code that would cross 
> compile under VMS, RSX, Tops-10 and Tops-20).  I think it might be 
> useful to review some of the VMS DECnet source, if any of that is 
> available.  It might be possible to lift some functionality, which could 
> be fun.
> 
> Does the VMS hobbiest license get you source code?
>> ------------------------------------------------------------------------
>> On 7/3/2019 7:21 PM, Johnny Billquist wrote:
>>
>> VMS, as someone else mentioned, have a default account for FAL.
>>
>> RSX does not have that.  However, you can use proxy access in RSX to 
>> achieve something similar.  Enable incoming and outgoing proxy, and 
>> define a default account that incoming requests should be using that way.
>>
>> If TOPS-20 can do this I don't know.  But it's a suggestion for 
>> something else/more to check.
>>
>>   Johnny
>>> ------------------------------------------------------------------------
>>> On 2019-07-03 14:15, Thomas DeBellis wrote:
>>>
>>> I have some software that I'd like to post, but don't recall how to 
>>> configure FAL to allow for an anonymous connection; to download from 
>>> a restricted directory.
>>>
>>> I know how to do it for the FTP server (seeing as I wrote it), but 
>>> ... different code base.
>>>
>>> I can only vaguely remember what we did for CCnet at Columbia 
>>> University in the 1980's, but I think it was kind of a hack.


-- 
Johnny Billquist                  || "I'm on a bus
                                   ||  on a psychedelic trip
email: bqt at softjar.se             ||  Reading murder books
pdp is alive!                     ||  tryin' to stay hip" - B. Idol

More information about the Hecnet-list mailing list