On Tue, 22 Jan 1991 10:01:31 SET "Christian J. Reichetzeder" <REICHETZ@AWIIMC11> said: >* ABC FILELIST has a generic entry of the form > / A/> * * PRV OWN .... You must not specify a generic entry for '* *' anywhere, as it will match any file (obviously). This means that if someone else, downwards in the search order, has an entry for 'ABC* MEMO', your '* *' will catch the file before if the filelist is not specified explicitly. >As far as I could find out the problem is within LSVSFILE. For explicit >or implicit FILELISTs LSVSFILE starts from the root(=LISTSERV) FILELIST. >In case the sought file is not found other FILELISTs found are searched. >Only when the file couldn't be found in any of the FILELISTs the search >continues for NOTEBOOKs or LOGs according to the LIST specification. If >any FILELIST happens to contain a generic entry matching the requested >FILELIST the search stops and authorization is given as specified in the >generic entry. I do not see in what way this is a problem. First, if I were to change the code to behave as you suggest, a generic entry for '* LOG*' in XYZ FILELIST would be ignored when looking for XYZ LOG9001, when the intent of the list owner was, clearly, to set different GET/PUT access codes for these files. There is no difference between '* LOG*' and '* *' in this respect, except that the latter catches more files. Second, you are talking about the special case of log files and implicit filelists. If you consider the more general case of regular files, you will quickly realize that the specification of '* *' in *any* filelist means problems as soon as you try to store files without specifying the filelist name, ie 'PUT MEET9102 AGENDA' rather than 'PUT MEET9102 AGENDA MINUTES'. There is no solution to this - you did not say which filelist the file was from, there is no way for the server to "guess" that you meant MEET9012 AGENDA from 'MEET* AGENDA' in the MINUTES filelist, not MEET9012 AGENDA from '* *' in the XYZ filelist. This is why you should not specify '* *' on any filelist that can be reached from the root, and if you do, you must specify the filelist name on any file access request to avoid problems. What you have to understand is that LISTSERV fileids have 3 components, and when you specify only the first 2 it is trying to guess at the third. Most of the time there is no ambiguity, but of course nothing prevents you from having a 'README MEMO' in 2 filelists; in that case, the user can no longer omit the last component. >This is not only an inconvenience but also a security exposure (...) The >owner of ABC (FILE)LIST could specify a generic entry of * * GET=OWN and >thus be able to retreive the logs of XYZ LIST regardless of their FACs. No, because these are not the same files. If a match occurs for XYZ NOTEBOOK on the ABC FILELIST, LISTSERV will search ABC FILEID for the real CMS fileid. It will not find an entry for this file there, so it will generate a new fileid, nnnnnnnn ABC on the designated default disk. You can GET/PUT this file, but this is a different one from 'XYZ NOTEBOOK XYZ'. Eric