https://community.hpe.com/t5/operating-system-openvms/dns-msg-exe-protection/m-p/3847504#M78528 Someone noticed that SYS$MESSAGE:DNS$MSG.EXE doesn't have W:RE protection. (World has NO access). All the other EXE files in SYS$MESSAGE have W:RE access. Does anyone know why? Is this on purpose? Mon, 21 Aug 2006 12:49:17 GMT Thomas A. Williams 2006-08-21T12:49:17Z https://community.hpe.com/t5/operating-system-openvms/dns-msg-exe-protection/m-p/3847504#M78528 Someone noticed that SYS$MESSAGE:DNS$MSG.EXE doesn't have W:RE protection. (World has NO access). All the other EXE files in SYS$MESSAGE have W:RE access. Does anyone know why? Is this on purpose? Mon, 21 Aug 2006 12:49:17 GMT https://community.hpe.com/t5/operating-system-openvms/dns-msg-exe-protection/m-p/3847504#M78528 Thomas A. Williams 2006-08-21T12:49:17Z https://community.hpe.com/t5/operating-system-openvms/dns-msg-exe-protection/m-p/3847505#M78529 <!--!*#-->I have two:<BR /><BR />DNS$MSG.EXE;1 (RWED,RWED,RE,)<BR />DNS$MSG_VMS.EXE;1 (RWED,RWED,RE,)<BR /><BR />but there's a similar-looking:<BR /><BR />DNS$MSG_V.EXE;1 (RWED,RWED,RE,RE)<BR /><BR />Looks to me like an error.<BR /><BR />A bunch of mine have G:REWD, too, but most<BR />are G:RE. Mon, 21 Aug 2006 16:29:47 GMT https://community.hpe.com/t5/operating-system-openvms/dns-msg-exe-protection/m-p/3847505#M78529 Steven Schweda 2006-08-21T16:29:47Z https://community.hpe.com/t5/operating-system-openvms/dns-msg-exe-protection/m-p/3847506#M78530 Thomas,<BR /><BR /> It might be an oversight. On my V6.2 systems, the protection is W:RE, but on later versions it's W(none).<BR /><BR /> I guess it depends on what images are intended to use the message file. If they're all installed, privileged images, or they're intended to be used only by privileged users, then the security may be deliberate, or may not be relevant. <BR /><BR /> A quick look at a V8.2 system disk, it appears DNS$MSG is referenced from NET$EVENT_DISPATCHER, NCLSHR, NET$EVD_RELAY_FORMATTER and DNS$MSG_V. I can't imagine joe-unprivileged-user messing with any of them.<BR /><BR /> On one hand, it probably doesn't matter if you open W:RE access to the message file, but on the other, what's broke that you think you're fixing?<BR /><BR /> If your users aren't complaining about failure to translate DNS messages, it might be better to just leave it be. If you have file access failure auditing enabled, you'll now quickly enough if anyone who should have access is being denied.<BR /> Mon, 21 Aug 2006 23:09:38 GMT https://community.hpe.com/t5/operating-system-openvms/dns-msg-exe-protection/m-p/3847506#M78530 John Gillings 2006-08-21T23:09:38Z https://community.hpe.com/t5/operating-system-openvms/dns-msg-exe-protection/m-p/3847507#M78531 I don't know about anyone else, but I have a<BR />procedure which tries to get the message text<BR />for a status code, and when it gets "NOMSG",<BR />it tries to "set message" on each of the<BR />files in sys$message until it gets a good<BR />message (or runs out of files).<BR /><BR />Anyone, privileged or not, might wish to<BR />translate such an error code, but it won't<BR />work well if he can't read the file.<BR /><BR />The probability of anyone actually caring may<BR />be fairly small, but I estimate the<BR />probability of W:RE on any of these files<BR />being wrong enough to cause trouble to be<BR />_vanishingly_ small.<BR /><BR />I'd vote for setting all of them the same,<BR />and then waiting for a disaster. I'd expect<BR />to be waiting a very long time. Mon, 21 Aug 2006 23:21:07 GMT https://community.hpe.com/t5/operating-system-openvms/dns-msg-exe-protection/m-p/3847507#M78531 Steven Schweda 2006-08-21T23:21:07Z