Re: vm alternat userid support
Title: Re: vm alternat userid support Another would be to create a lock on an SFS access directory, and then query the lock SFS do not check the alternate user so the suggested method to create a lock for a file to see what altuser is running do not work if the worker it selves use any sfs files. When the worker first access a filepool the appc connection is assigned the userid/altuserid that the worker has in that moment and that userid is kept in the sfs filepool as long as the appc connection exists so even if the worker is assigned a new altuser the connection to sfs still uses the old (firs) userid. To get the right userid the worker has to reset the appc connection to the filepool before accessing files for the new user. This is a problem when developing worker applications using sfs, the worker it selves cant use files in sfs and the order of setting up appc connections to sfs is very important. Regards Mats Westlund
Re: vm alternat userid support
On Friday, 05/19/2006 at 08:35 ZE2, Westlund, Mats (Mainframe servers) [EMAIL PROTECTED] wrote: SFS do not check the alternate user so the suggested method to create a lock for a file to see what altuser is running do not work if the worker it selves use any sfs files. SFS doesn't have a choice. It sees the userid CP puts there. But you're right that diag D4 only affects APPC connections made after that point, having no affect on existing connections. So an application that tries to exploit this would have to issue DMSPURWU CSL routine to sever the APPC connection before using Diag D4. Alan Altmark z/VM Development IBM Endicott
Re: vm alternat userid support
On Friday, 05/19/2006 at 09:33 AST, John Hall [EMAIL PROTECTED] wrote: If your worker and/or server is trusted, you can use the CSL API to create workunits that specify the altuser and then use that workunit on CSL calls for work for that altuser. You mentioned 'trust'. The following is a public service announcement: security It's worth noting that the altuser support on DMSGETWU does not depend on diagnose 0xD4, but uses the ALTID parameter on APPCVM CONNECT. I mention this because diagnose 0xD4 is class B (by default) and can be problematic in a multi-threaded environment, requiring serialization of CONNECTs. (Imagine a virtual machine with two CPUs with Diag D4 race conditions.) It also grants more capability than is strictly needed, esp. if you just give class B instead of moving it to its own privclass. DMSGETWU (with userid) only requires OPTION COMSRV in a class G user. The only other effect of OPTION COMSRV is that the user can choose to accept APPC connections in a way the stops CP from verifying any security-related information. This is how TSAF does what it does, but it requires extra programming to exploit it. /security Alan Altmark z/VM Development IBM Endicott
vm alternat userid support
Is there any command or instruction that a worker machine can use to obtain the userid that it has been assigned by the set alternate user ( diagd4) The question is who do I work for? Regards Mats Westlund
Re: vm alternat userid support
Get the LCLQRY package fromp VM's download lib and you'll get a CP Q ALTUSER command. Part of my RxServer package is a DIAGD4 MODULE to set the alternate userid. Kris, IBM Belgium, VM customer support Westlund, Mats (Mainframe servers) [EMAIL PROTECTED] Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 2006-05-18 09:41 Please respond to The IBM z/VM Operating System To IBMVM@LISTSERV.UARK.EDU cc Subject vm alternat userid support Is there any command or instruction that a worker machine can use to obtain the userid that it has been assigned by the set alternate user ( diagd4) The question is who do I work for? Regards Mats Westlund
Re: vm alternat userid support
On Thursday, 05/18/2006 at 09:41 ZE2, Westlund, Mats (Mainframe servers) [EMAIL PROTECTED] wrote: Is there any command or instruction that a worker machine can use to obtain the userid that it has been assigned by the set alternate user ( diagd4) The question is who do I work for? No, though a nice little home-grown diagnose could retrieve it from VMDALTID in the VMDBK. That and the AUTOLOGged-by user would be good additions to diag 0x260. I'll see what I can do. (Kris' LCLQRY is a good start in the meantime.) [There is a kludge: you can create a spool file and look at the ORIGIN...it will have the alternate id. Eeeew.] Alan Altmark z/VM Development IBM Endicott
Re: vm alternat userid support
On Thu, 18 May 2006 09:48:10 -0400 Alan Altmark said: On Thursday, 05/18/2006 at 09:41 ZE2, Westlund, Mats (Mainframe servers) [EMAIL PROTECTED] wrote: Is there any command or instruction that a worker machine can use to obtain the userid that it has been assigned by the set alternate user ( diagd4) The question is who do I work for? No, though a nice little home-grown diagnose could retrieve it from VMDALTID in the VMDBK. That and the AUTOLOGged-by user would be good additions to diag 0x260. I'll see what I can do. (Kris' LCLQRY is a good start in the meantime.) [There is a kludge: you can create a spool file and look at the ORIGIN...it will have the alternate id. Eeeew.] Another would be to create a lock on an SFS access directory, and then query the lock create lock profile exec a share session query lock profile exec a will return Directory = fp:fs. Filename Filetype Fm TypeUserid Lock Duration PROFILE EXEC A1 BASEaltuserSHARE SESSION where fp is the filepool, fs is the filesystem and altuser is the D4 user There are other SFS tricks, like accessing a dircontrol directory and looking at the accessors, etc. Alan Altmark z/VM Development IBM Endicott /ahw
