[Info-vax] OT: Review your password-checking $acm[w] calls

[Stephen Hoffman]

Apologies in advance for this completely off-topic OpenVMS technical posting.

The following is an OpenVMS Programming Public Service Announcement for 
both of the folks that are still reading this comp.os.vms newsgroup, 
still programming VMS, using sys$acm[w] to check the user passwords, 
please check your $acm[w] system service call source code...

If you neglected to include the logon type (ACME$_LOGON_TYPE) itemcode 
as network (ACME$K_NETWORK) — which requires the IMPERSONATE privilege; 
formerly known as DETACH — then your calls will work just fine in most 
conditions.   However, your calls for password verification might 
not-so-silently fail under conditions that your tests might not show, 
if you're not prepared to prompt upon receipt of the arcanely-named 
ACME$_OPINCOMPL <%ACME-W-OPINCOMPL, operation incomplete; interaction 
required> status.  This because the default mode for the $acm[w] system 
service is its gonzo "dialog" prompting mode, which is triggered when 
you encounter an expiring password.

If you have or find an $acm or $acmw call in any password-checking 
source code, then you will want to confirm either ACME$_LOGON_TYPE set 
to ACME$K_NETWORK (with IMPERSONATE) or the presence of source code to 
handle the ACME$_OPINCOMPL status.  If not, you might (do?) have a 
latent bug.

Related: <http://h71000.www7.hp.com/doc/731final/5841/5841pro_088.html> 
<http://labs.hoffmanlabs.com/node/1260#comment-2993>

Yeah.  It's a stupid coding bug.  A bug that won't show in most 
testing.  Don't make it.







-- 
Pure Personal Opinion | HoffmanLabs LLC