Re: Ops privs (was Re: MAINTENANCE)
Nick Laflamme [EMAIL PROTECTED] wrote: Fortunately, IBM makes it easy for us to define new command classes so we can do it our way. If I were feeling demanding, I might whine about IBM (and other vendors) listing command classes they want instead of commands (and DIAGs) they want, but I'm not, so :-) Some of us had it beaten into our heads early (by having been IN shops with commands moved around among classes) to document Requires Class A for CP FORCE, XAUTOLOG, and SHUTDOWN and like'a'dat, but yeah, I've seen other vendors who don't do so well... ...phsiii
Re: Ops privs (was Re: MAINTENANCE)
TCPIP does FORCE and AUTOLOG/XAUTOLOG users Schuh, Richard [EMAIL PROTECTED] Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 08/23/2007 06:39 PM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Ops privs (was Re: MAINTENANCE) True enough; however, I fear trusting anyone enough to include class A in their directory privileges. We have very few Class C users. While on the subject of privilege classes, why does TCPIP hqve class A? Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Alan Altmark Sent: Thursday, August 23, 2007 3:07 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Ops privs (was Re: MAINTENANCE) On Thursday, 08/23/2007 at 01:06 EDT, Schuh, Richard [EMAIL PROTECTED] wrote: You do if you are adding a priv that is not in your directory entry. Most of us live in fear of the class A privileges, so we do not include it in our entries. Without either C or A, you cannot add A (or C, for that matter). If you have class C, then you have all classes at your disposal, regardless of what's in the directory. If, however, you define your userid with the maximum privs and then *take away* privs you do not normally require (see prior post), then you do not need class C. When you decide you need class A, just SET PRIV * +A. When done, SET PRIV * -A. The concept of least privilege should be applied. Alan Altmark z/VM Development IBM Endicott
Re: Ops privs (was Re: MAINTENANCE)
In that case, FORCE and XAUTOLOG should be in a class that does not include SHUTDOWN. After all, why should we trust TCPIP any more than we do other users? Who knows what information it is shipping to Chuckie unbeknownst to us? :-) Regards, Richard Schuh From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 24, 2007 5:19 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Ops privs (was Re: MAINTENANCE) TCPIP does FORCE and AUTOLOG/XAUTOLOG users Schuh, Richard [EMAIL PROTECTED] Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 08/23/2007 06:39 PM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: Ops privs (was Re: MAINTENANCE) True enough; however, I fear trusting anyone enough to include class A in their directory privileges. We have very few Class C users. While on the subject of privilege classes, why does TCPIP hqve class A? Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Alan Altmark Sent: Thursday, August 23, 2007 3:07 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Ops privs (was Re: MAINTENANCE) On Thursday, 08/23/2007 at 01:06 EDT, Schuh, Richard [EMAIL PROTECTED] wrote: You do if you are adding a priv that is not in your directory entry. Most of us live in fear of the class A privileges, so we do not include it in our entries. Without either C or A, you cannot add A (or C, for that matter). If you have class C, then you have all classes at your disposal, regardless of what's in the directory. If, however, you define your userid with the maximum privs and then *take away* privs you do not normally require (see prior post), then you do not need class C. When you decide you need class A, just SET PRIV * +A. When done, SET PRIV * -A. The concept of least privilege should be applied. Alan Altmark z/VM Development IBM Endicott
Re: Ops privs (was Re: MAINTENANCE)
We have a class V that allows class B queries. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Nick Laflamme Sent: Friday, August 24, 2007 10:25 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Ops privs (was Re: MAINTENANCE) Fortunately, IBM makes it easy for us to define new command classes so we can do it our way. If I were feeling demanding, I might whine about IBM (and other vendors) listing command classes they want instead of commands (and DIAGs) they want, but I'm not, so :-) Does anyone else define a class that has all of the QUERYs and other output only classes? I run with class GU on my personal userid -- I can look to make sure all is well, but to actually fix anything (or break it worse), I need to get on something like MAINT. Nick Schuh, Richard wrote: In that case, FORCE and XAUTOLOG should be in a class that does not include SHUTDOWN. After all, why should we trust TCPIP any more than we do other users? Who knows what information it is shipping to Chuckie unbeknownst to us?
Re: Ops privs (was Re: MAINTENANCE)
We have class Q for non-classs G QUERY and INDICATE. 2007/8/24, Schuh, Richard [EMAIL PROTECTED]: We have a class V that allows class B queries. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Nick Laflamme Sent: Friday, August 24, 2007 10:25 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Ops privs (was Re: MAINTENANCE) Fortunately, IBM makes it easy for us to define new command classes so we can do it our way. If I were feeling demanding, I might whine about IBM (and other vendors) listing command classes they want instead of commands (and DIAGs) they want, but I'm not, so :-) Does anyone else define a class that has all of the QUERYs and other output only classes? I run with class GU on my personal userid -- I can look to make sure all is well, but to actually fix anything (or break it worse), I need to get on something like MAINT. Nick Schuh, Richard wrote: In that case, FORCE and XAUTOLOG should be in a class that does not include SHUTDOWN. After all, why should we trust TCPIP any more than we do other users? Who knows what information it is shipping to Chuckie unbeknownst to us? -- Kris Buelens, IBM Belgium, VM customer support
Ops privs (was Re: MAINTENANCE)
David Boyes wrote: On our test system, we move SHUTDOWN to class S (or whatever). Then Sounds like a very good idea to implement generically for the next release of VM. Having SHUTDOWN bunched in with all the other class A commands has always been a loaded automatic without a safety. In fact, does OPERATOR really need anything but C and G for normal operations? B would be convenient, but thinking about this as a more general lockdown and cleanup, it might be worth tightening things up a bit now that we're not really doing apps on CMS any more. Actually we never gave our ops class-C ... only sysprogs got that. AFAIK, we never ran into a situation where they needed it. We gave them class E, as we had some tools that might need to display real memory, but never C (look, but don't touch). They also got class-B, though, since they did some manual device management (usually tape drives -- occasionally DASD). And we also had a class override defined for Shutdown. Only ops got that, not sysprogs.
Re: Ops privs (was Re: MAINTENANCE)
Actually we never gave our ops class-C ... only sysprogs got that. The only reason for C would be to enable SET PRIV, which would let us take away all the other privs in the default setup.
Re: Ops privs (was Re: MAINTENANCE)
On Thursday, 08/23/2007 at 12:31 EDT, David Boyes [EMAIL PROTECTED] wrote: Actually we never gave our ops class-C ... only sysprogs got that. The only reason for C would be to enable SET PRIV, which would let us take away all the other privs in the default setup. You don't need class C to manage your own privileges. Also, the new COMMAND statement in the directory makes it easy to do things that were previously a PITA. E.g. you no longer need to give a user class A just so they can SET SHARE when they logon. In the case of SET PRIV: USER ALAN BDEFG : COMMAND SET PRIVCLASS * =G IPL 123 Alan Altmark z/VM Development IBM Endicott
Re: Ops privs (was Re: MAINTENANCE)
On Thursday, 08/23/2007 at 01:06 EDT, Schuh, Richard [EMAIL PROTECTED] wrote: You do if you are adding a priv that is not in your directory entry. Most of us live in fear of the class A privileges, so we do not include it in our entries. Without either C or A, you cannot add A (or C, for that matter). If you have class C, then you have all classes at your disposal, regardless of what's in the directory. If, however, you define your userid with the maximum privs and then *take away* privs you do not normally require (see prior post), then you do not need class C. When you decide you need class A, just SET PRIV * +A. When done, SET PRIV * -A. The concept of least privilege should be applied. Alan Altmark z/VM Development IBM Endicott
Re: Ops privs (was Re: MAINTENANCE)
True enough; however, I fear trusting anyone enough to include class A in their directory privileges. We have very few Class C users. While on the subject of privilege classes, why does TCPIP hqve class A? Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Alan Altmark Sent: Thursday, August 23, 2007 3:07 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Ops privs (was Re: MAINTENANCE) On Thursday, 08/23/2007 at 01:06 EDT, Schuh, Richard [EMAIL PROTECTED] wrote: You do if you are adding a priv that is not in your directory entry. Most of us live in fear of the class A privileges, so we do not include it in our entries. Without either C or A, you cannot add A (or C, for that matter). If you have class C, then you have all classes at your disposal, regardless of what's in the directory. If, however, you define your userid with the maximum privs and then *take away* privs you do not normally require (see prior post), then you do not need class C. When you decide you need class A, just SET PRIV * +A. When done, SET PRIV * -A. The concept of least privilege should be applied. Alan Altmark z/VM Development IBM Endicott
Re: Ops privs (was Re: MAINTENANCE)
I thought it was for Locking/Unlocking pages, but I'm not sure. Schuh, Richard wrote: True enough; however, I fear trusting anyone enough to include class A in their directory privileges. We have very few Class C users. While on the subject of privilege classes, why does TCPIP hqve class A? Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Alan Altmark Sent: Thursday, August 23, 2007 3:07 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Ops privs (was Re: MAINTENANCE) If you have class C, then you have all classes at your disposal, regardless of what's in the directory. If, however, you define your userid with the maximum privs and then *take away* privs you do not normally require (see prior post), then you do not need class C. When you decide you need class A, just SET PRIV * +A. When done, SET PRIV * -A. The concept of least privilege should be applied. Alan Altmark z/VM Development IBM Endicott
