On Friday, 05/19/2006 at 09:33 AST, John Hall <[EMAIL PROTECTED]> wrote:
> If your worker and/or server is "trusted", you can use the CSL API to > create workunits that specify the altuser and then use that workunit > on CSL calls for work for that altuser. You mentioned 'trust'. The following is a public service announcement: <security> It's worth noting that the altuser support on DMSGETWU does not depend on diagnose 0xD4, but uses the ALTID parameter on APPCVM CONNECT. I mention this because diagnose 0xD4 is class B (by default) and can be problematic in a multi-threaded environment, requiring serialization of CONNECTs. (Imagine a virtual machine with two CPUs with Diag D4 race conditions.) It also grants more capability than is strictly needed, esp. if you just give class B instead of moving it to its own privclass. DMSGETWU (with userid) only requires OPTION COMSRV in a class G user. The only other effect of OPTION COMSRV is that the user can choose to accept APPC connections in a way the stops CP from verifying any security-related information. This is how TSAF does what it does, but it requires extra programming to exploit it. </security> Alan Altmark z/VM Development IBM Endicott
