On Thu, 14 Dec 2023 at 05:40, Donald Russell <russell....@gmail.com> wrote:
> > Thanks Rob, > Since >SFS uses a private work unit by default, doesn’t that mean it gets a > new work unit before connecting to the sfs server? Diag d4 is done before > the pipe command, so I’m expecting the new connection to appear to initiate > from the altuser id. > And that means you specify the file such that the nose driver knows to use >sfs and not go through the mini disk simulation on accessed SFS directories... > > Am I misunderstanding what PIPE AHELP >SFS is telling me? What > does”PRIVATE” mean in this context? > It means >sfs allocates a work unit specifically for that file, so nothing else in the virtual machine observes the effect until the stage ends. I know CMS caches persistent IUCV connections to the SFS server. I don't recall playing with D4 like this. I don't know whether CMS keeps track of the identity while the IUCV connection was established, and knows to expire that when things change. You normally do the D4 very early in the life of the virtual machine, so you can reason about the possible leakage of data between the two identities. I know from experience that once you try to aggregate rights from different identities, things get very complicated. You could for example link to a disk as user A and then identify as B and link another disk. When you then run an application associated with A, you do that with the privilege of user B. Rob