Re: vm alternat userid support
On Friday, 05/19/2006 at 09:33 AST, John Hall <[EMAIL PROTECTED]> wrote: > If your worker and/or server is "trusted", you can use the CSL API to > create workunits that specify the altuser and then use that workunit > on CSL calls for work for that altuser. You mentioned 'trust'. The following is a public service announcement: It's worth noting that the altuser support on DMSGETWU does not depend on diagnose 0xD4, but uses the ALTID parameter on APPCVM CONNECT. I mention this because diagnose 0xD4 is class B (by default) and can be problematic in a multi-threaded environment, requiring serialization of CONNECTs. (Imagine a virtual machine with two CPUs with Diag D4 race conditions.) It also grants more capability than is strictly needed, esp. if you just give class B instead of moving it to its own privclass. DMSGETWU (with userid) only requires OPTION COMSRV in a class G user. The only other effect of OPTION COMSRV is that the user can choose to accept APPC connections in a way the stops CP from verifying any security-related information. This is how TSAF does what it does, but it requires extra programming to exploit it. Alan Altmark z/VM Development IBM Endicott
Re: vm alternat userid support
On 5/19/06, Westlund, Mats (Mainframe servers) <[EMAIL PROTECTED]> wrote: SFS do not check the alternate user so the suggested method to create a lock for a file to see what altuser is running do not work if the worker it selves use any sfs files. When the worker first access a filepool the appc connection is assigned the userid/altuserid that the worker has in that moment and that userid is kept in the sfs filepool as long as the appc connection exists so even if the worker is assigned a new altuser the connection to sfs still uses the old (firs) userid. To get the "right" userid the worker has to reset the appc connection to the filepool before accessing files for the new user. This is a problem when developing worker applications using sfs, the worker it selves can't use files in sfs and the order of setting up appc connections to sfs is very important. This is correct. Often a brute force method is employed when setting up a worker for a transaction set via DMSPURWU. In fact, if the worker is not "trusted", you are forced to do this during worker setup, to ensure that there are no lingering authorizations available from a previous transaction. If your worker and/or server is "trusted", you can use the CSL API to create workunits that specify the altuser and then use that workunit on CSL calls for work for that altuser. If your application is single threaded, you can also change the "default workunit" which will affect all subsequent interactions with SFS. A single-threaded application (that may or may not be multi-client, but serves clients in a serial fashion) can simply obtain a workunit (DMSGETWU), make it the default (DMSPUSWU), perform whatever work it requires, return to the previous work unit (DMSPOPWU), and discard the workunit (DMSRETWU). A multi-threaded application that wishes to use the altuser facility with SFS must limit itself to the CSL set, specifying a workunit as applicable. This allows a worker/server to perform work on behalf of one or more users (via altuser) at the same time. Additionally, one might serialize access to certain CMS functions, so that you can use the "default workunit" (DMSPUSWU/DMSPOPWU) so as to issue traditional CMS commands. For example, you might create a critical section (serial access by all threads) to the ERASE command that issues the series DMSPUSWU, ERASE, DMSPOPWU so that the ERASE runs with the authority and auditing of the altuser associated with the given workunit (poor example, b/c you could just use DMSERASE, but the example holds true). John -- John Hall (+1) 727-397-6373 Safe Software, Inc. JohnHall (at) SafeSoftware.Com http://www.SafeSoftware.Com JohnBeachFL (at) gmail.com
Re: vm alternat userid support
On Friday, 05/19/2006 at 08:35 ZE2, "Westlund, Mats (Mainframe servers)" <[EMAIL PROTECTED]> wrote: > SFS do not check the alternate user so the suggested method to > create a lock for a file to see what altuser is running do not > work if the worker it selves use any sfs files. SFS doesn't have a choice. It sees the userid CP puts there. But you're right that diag D4 only affects APPC connections made after that point, having no affect on existing connections. So an application that tries to exploit this would have to issue DMSPURWU CSL routine to sever the APPC connection before using Diag D4. Alan Altmark z/VM Development IBM Endicott
Re: vm alternat userid support
Title: Re: vm alternat userid support >Another would be to create a lock on an SFS access directory, and then >query the lock SFS do not check the alternate user so the suggested method to create a lock for a file to see what altuser is running do not work if the worker it selves use any sfs files. When the worker first access a filepool the appc connection is assigned the userid/altuserid that the worker has in that moment and that userid is kept in the sfs filepool as long as the appc connection exists so even if the worker is assigned a new altuser the connection to sfs still uses the old (firs) userid. To get the “right” userid the worker has to reset the appc connection to the filepool before accessing files for the new user. This is a problem when developing worker applications using sfs, the worker it selves can’t use files in sfs and the order of setting up appc connections to sfs is very important. Regards Mats Westlund
Re: vm alternat userid support
On Thu, 18 May 2006 09:48:10 -0400 Alan Altmark said: >On Thursday, 05/18/2006 at 09:41 ZE2, "Westlund, Mats (Mainframe servers)" ><[EMAIL PROTECTED]> wrote: >> Is there any command or instruction that a worker machine can use to >> obtain >> the userid that it has been assigned by the set alternate user ( diagd4) >> >> The question is "who do I work for"? > >No, though a nice little home-grown diagnose could retrieve it from >VMDALTID in the VMDBK. That and the AUTOLOGged-by user would be good >additions to diag 0x260. I'll see what I can do. (Kris' LCLQRY is a good >start in the meantime.) > >[There is a kludge: you can create a spool file and look at the >ORIGIN...it will have the alternate id. Eeeew.] > Another would be to create a lock on an SFS access directory, and then query the lock create lock profile exec a share session query lock profile exec a will return Directory = Filename Filetype Fm TypeUserid Lock Duration PROFILE EXEC A1 BASESHARE SESSION where fp is the filepool, fs is the filesystem and altuser is the D4 user There are other SFS tricks, like accessing a dircontrol directory and looking at the accessors, etc. >Alan Altmark >z/VM Development >IBM Endicott /ahw
Re: vm alternat userid support
On Thursday, 05/18/2006 at 09:41 ZE2, "Westlund, Mats (Mainframe servers)" <[EMAIL PROTECTED]> wrote: > Is there any command or instruction that a worker machine can use to > obtain > the userid that it has been assigned by the set alternate user ( diagd4) > > The question is "who do I work for"? No, though a nice little home-grown diagnose could retrieve it from VMDALTID in the VMDBK. That and the AUTOLOGged-by user would be good additions to diag 0x260. I'll see what I can do. (Kris' LCLQRY is a good start in the meantime.) [There is a kludge: you can create a spool file and look at the ORIGIN...it will have the alternate id. Eeeew.] Alan Altmark z/VM Development IBM Endicott
Re: vm alternat userid support
Get the LCLQRY package fromp VM's download lib and you'll get a CP Q ALTUSER command. Part of my RxServer package is a DIAGD4 MODULE to set the alternate userid. Kris, IBM Belgium, VM customer support "Westlund, Mats (Mainframe servers)" <[EMAIL PROTECTED]> Sent by: The IBM z/VM Operating System 2006-05-18 09:41 Please respond to The IBM z/VM Operating System To IBMVM@LISTSERV.UARK.EDU cc Subject vm alternat userid support Is there any command or instruction that a worker machine can use to obtain the userid that it has been assigned by the set alternate user ( diagd4) The question is "who do I work for"? Regards Mats Westlund
vm alternat userid support
Is there any command or instruction that a worker machine can use to obtain the userid that it has been assigned by the set alternate user ( diagd4) The question is "who do I work for"? Regards Mats Westlund
