INFO-VAX Wed, 24 Oct 2007 Volume 2007 : Issue 581 Contents: Re: ANN: .NET Mono for VMS Re: DE500-XA on XP1000 Re: Dialup then pass port to application Re: Dialup then pass port to application Re: Dialup then pass port to application Re: Dialup then pass port to application Re: Dialup then pass port to application Re: Dialup then pass port to application Infoserver images on Freeware #8 Re: Infoserver images on Freeware #8 Re: R&D on OpenVMS? Re: Reboot Cisco from DCL script Restarting Mozilla to where I was before Re: Restarting Mozilla to where I was before Re: Restarting Mozilla to where I was before Re: Restarting Mozilla to where I was before Re: SUBMIT command Re: SUBMIT command Re: SUBMIT command Re: SUBMIT command Re: SUBMIT command Re: SUBMIT command Re: SUBMIT command Re: SUBMIT command Re: SUBMIT command Re: SUBMIT command Re: SUBMIT command Re: SUBMIT command Re: SUBMIT command Re: SUBMIT command Re: SUBMIT command Re: unix "batch processing" Re: unix "batch processing" ZLXp-E3 and DS10 and VMS 8.3 Re: ZLXp-E3 and DS10 and VMS 8.3 Re: [OT] sudo [OT] sudo (was:Re: SUBMIT command) Re: [OT] sudo (was:Re: SUBMIT command) ---------------------------------------------------------------------- Date: 23 Oct 2007 23:34:46 GMT From: healyzh@aracnet.com Subject: Re: ANN: .NET Mono for VMS Message-ID: Arne Vajhj wrote: > Richard Maher wrote: > > How many people would be interested in running .NET Mono on OpenVMS, Alpha > > or Integrity? Of those, how many would want to: > > > > 1. use OpenVMS as a host for their .NET Clients > > 2. use OpenVMS as a host for their .NET Servers > > 3. both of the above > I somehow suspect that you are not all serious. I fear you are right, though I would absolutely love to be proven wrong. I for one really want to see a working .NET implementation on OpenVMS/Alpha. I suspect that anyone serious about this should take a look at Portable.NET http://www.gnu.org/software/dotgnu/ even though I would prefer to see Mono. > Mono is thread oriented not forking oriented. > It do run on Linux/IA64, so there must be some IA64 JIT code > (Alpha could be hard though). One advantage to Portable.NET is that it supports a wider range of platforms, has been ported to both Alpha and ia64. The downside being, I'm pretty sure they were running Linux. Zane ------------------------------ Date: Wed, 24 Oct 2007 00:06:49 GMT From: "Duncan Macdonald" Subject: Re: DE500-XA on XP1000 Message-ID: Some of the DE500 models have problems with Auto-negotiation, I would suggest setting both the DE500 AND the router/switch to the same value (100 FD for preference) and DISABLE Auto-negotiation on both. (I fell foul of this some years ago with a DE500 that set itself to FD but the switch thought was in HD - the results were "interesting".) "Tom Linden" wrote in message news:op.t0nrk41mhv4qyg@murphus.linden... > On Tue, 23 Oct 2007 09:14:41 -0700, Rob Brooks > wrote: > >> "Tom Linden" writes: >>> Suggestions? >> >> On the V8.3 system, try the following >> >> 1) at the console, set ewb0_mode to fastFD >> 2) do not have any permanent settings in LANCP for EWB0 >> 3) are there any "EWB" devices besides the template device (EWB0)? >> 4) what's the output from $ SHOW DEVICE/FULL EWB0 (new for V8.3) >> >> I'll ping the ethernet driver guru from VMS Engineering . . . >> >> -- Rob > > I thought I could look at the SRM variable with ^P and then resume with > CONT. But it crashed:-( and caused all the shadow in the SAN to start > merge :-( :-( I should have reset that cluster time variable, whatever it > is called. > > Anyway upon booting > > %SYSINIT-I- waiting to form or join an OpenVMS Cluster > %VMScluster-I-LOADSECDB, loading the cluster security database > %EWA0, Auto-negotiation mode set by console > %EWA0, Auto-negotiation (internal) starting > %EWA0, Full Duplex 100baseTX connection selected > %EWA0, Link state: UP > %EWB0, FastFD mode set by console > %EWA0, Auto-negotiation detected link down > %EWA0, Auto-negotiation (internal) starting > %EWA0, Link state: DOWN > %EWA0, Full Duplex 100baseTX connection selected > %EWA0, Link state: UP > > I wonder if it isn't a driver issue? > > > > -- > PL/I for OpenVMS > www.kednos.com ------------------------------ Date: Tue, 23 Oct 2007 14:52:47 -0400 From: JF Mezei Subject: Re: Dialup then pass port to application Message-ID: issinoho wrote: > The other site is contactable via dialup so my thoughts are to hook up > a modem to TTA0, manually dial the other site using a set host/dte > session then drop out leaving the software application to allocate the > 'live' TTA0 line. You need to first ALLOCATE TTAx: Then you SET HOST/DTE and do the manual dialup login and whatever, then you exit from SET HOST/DTE, ack at the $ and then start your application. If you do not ALLOCATE TTAx: beforehand, when you exit from SET HOST/DTE, if your modem is wired/configured properly/securely, the line will drop. ------------------------------ Date: Tue, 23 Oct 2007 19:35:51 -0000 From: issinoho Subject: Re: Dialup then pass port to application Message-ID: <1193168151.404359.132200@q3g2000prf.googlegroups.com> On Oct 23, 7:52 pm, JF Mezei wrote: > issinoho wrote: > > The other site is contactable via dialup so my thoughts are to hook up > > a modem to TTA0, manually dial the other site using a set host/dte > > session then drop out leaving the software application to allocate the > > 'live' TTA0 line. > > You need to first ALLOCATE TTAx: > Then you SET HOST/DTE and do the manual dialup login and whatever, > then you exit from SET HOST/DTE, ack at the $ and then start your > application. > > If you do not ALLOCATE TTAx: beforehand, when you exit from SET > HOST/DTE, if your modem is wired/configured properly/securely, the line > will drop. If I ALLOCATE the port will that not then deny access to the application which will also try to allocate the port? Or does the closing of the SET HOST/DTE take care of that? ------------------------------ Date: Tue, 23 Oct 2007 16:11:04 -0400 From: JF Mezei Subject: Re: Dialup then pass port to application Message-ID: issinoho wrote: > If I ALLOCATE the port will that not then deny access to the > application which will also try to allocate the port? Or does the > closing of the SET HOST/DTE take care of that? If your process allocates the port, then an application runnning in that process will have access to the port. Depends on how the application reacts. Normally, you can do just a SYS$ASSIGN with no need to SYS$ALLOC. If you do a SYS$ALLOC on an already alocated port, it would be a success but my not be a status code of 1. (eg: port already allocated, but in a success way). ------------------------------ Date: Tue, 23 Oct 2007 21:12:40 -0000 From: issinoho Subject: Re: Dialup then pass port to application Message-ID: <1193173960.414453.181700@v29g2000prd.googlegroups.com> On Oct 23, 9:11 pm, JF Mezei wrote: > issinoho wrote: > > If I ALLOCATE the port will that not then deny access to the > > application which will also try to allocate the port? Or does the > > closing of the SET HOST/DTE take care of that? > > If your process allocates the port, then an application runnning in that > process will have access to the port. > > Depends on how the application reacts. Normally, you can do just a > SYS$ASSIGN with no need to SYS$ALLOC. If you do a SYS$ALLOC on an > already alocated port, it would be a success but my not be a status code > of 1. (eg: port already allocated, but in a success way). The application in question runs as a detached process and first SYS $ALLOC then immediately SYS$ASSIGN the port. I can temporarily modify this behaviour if it will help. What do you recommend? ------------------------------ Date: Tue, 23 Oct 2007 23:05:25 GMT From: VAXman- @SendSpamHere.ORG Subject: Re: Dialup then pass port to application Message-ID: In article <1193173960.414453.181700@v29g2000prd.googlegroups.com>, issinoho writes: > > >On Oct 23, 9:11 pm, JF Mezei wrote: >> issinoho wrote: >> > If I ALLOCATE the port will that not then deny access to the >> > application which will also try to allocate the port? Or does the >> > closing of the SET HOST/DTE take care of that? >> >> If your process allocates the port, then an application runnning in that >> process will have access to the port. >> >> Depends on how the application reacts. Normally, you can do just a >> SYS$ASSIGN with no need to SYS$ALLOC. If you do a SYS$ALLOC on an >> already alocated port, it would be a success but my not be a status code >> of 1. (eg: port already allocated, but in a success way). > >The application in question runs as a detached process and first SYS >$ALLOC then immediately SYS$ASSIGN the port. I can temporarily modify >this behaviour if it will help. > >What do you recommend? Does your RUN/DETACHED execute SYS$SYSTEM:LOGINOUT.EXE so that the pro- cess will have a DCL context? Put the Kermit script and a RUN your-app in a command file which this process can execute. -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM "Well my son, life is like a beanstalk, isn't it?" http://tmesis.com/drat.html ------------------------------ Date: Tue, 23 Oct 2007 20:58:58 -0400 From: JF Mezei Subject: Re: Dialup then pass port to application Message-ID: issinoho wrote: > The application in question runs as a detached process and first SYS > $ALLOC then immediately SYS$ASSIGN the port. I can temporarily modify > this behaviour if it will help. That is a show stopper. If you allocate the port from your own process, then a detached process will not have access to that port (unless you give it phyio privilege, but even then, the $ALLOC will fail). What you will need to do is to automate your connection , perhaps with a kermit script. So you would have a procedure that runs as a detached process which first allocates the port, then uses kermit to dial out and do whatever is needed, and then the actual application. ------------------------------ Date: Tue, 23 Oct 2007 23:49:09 +0300 From: =?ISO-8859-1?Q?Uusim=E4ki?= Subject: Infoserver images on Freeware #8 Message-ID: <471e5db8$0$3499$9b536df3@news.fv.fi> Does anyone have an idea how the Infoserver software images on the OpenVMS Freeware #8 distribution are created and how they can be restored to e.g. a CD-R or directly to an Infoserver? They don't seem to be backup save sets nor are they recordable images (iso). I tried to modify the file attributes used by usual backup save sets, but still no luck. When dumping the first blocks of the files, there can be seen sensible information. I assume that the zipping or copying might have mixed up the file structure. Regards, Kari ------------------------------ Date: Tue, 23 Oct 2007 16:19:26 -0500 (CDT) From: sms@antinode.org (Steven M. Schweda) Subject: Re: Infoserver images on Freeware #8 Message-ID: <07102316192694_202002A8@antinode.org> From: =?ISO-8859-1?Q?Uusim=E4ki?= > Does anyone have an idea how the Infoserver software images on the > OpenVMS Freeware #8 distribution are created and how they can be > restored to e.g. a CD-R or directly to an Infoserver? I assume that you're talking about: http://h71000.www7.hp.com/freeware/freeware80/infoserver/infoserver.zip or (the presumably identical): http://h71000.www7.hp.com/freeware/freeware80/infoserver/fw80_infoserver.zip > They don't seem to be backup save sets nor are they recordable images > (iso). Practically anything (which fits) can be put onto a CD, not only ISO 9660 file system images. I know nothing, but I assume that when the instructions say: To use these disk images, these images must be replicated onto floppy disk media (the MS-DOS kit), or onto CD-R media, and then loaded into an appropriate MS-DOS client, or onto an InfoServer device. that that's exactly what you need to do. > I tried to modify the file attributes used by usual backup save sets, > but still no luck. The file attributes of which file? How? Why? They're not BACKUP save sets, are they? > When dumping the first blocks of the files, there can be seen sensible > information. I assume that the zipping or copying might have mixed up > the file structure. Unlikely. Have you tried making a CD from the appropriate image file? ------------------------------------------------------------------------ Steven M. Schweda sms@antinode-org 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 ------------------------------ Date: Tue, 23 Oct 2007 14:49:13 -0400 From: JF Mezei Subject: Re: R&D on OpenVMS? Message-ID: <56ee7$471e4230$cef8887a$27596@TEKSAVVY.COM> Rob Brown wrote: > Scientific Research & Experimental Development > This is all moot. VMS doesn't need money for development. It needs permission from HP to use some of the money it generates towards R&D and re-hire the people HP let go. The problem is that HP is in essence micromanaging VMS in the sense that it can order staff reductions and prevent advertising/marketing even though it pretends that the business units are supposed to be standing on their own. ------------------------------ Date: Tue, 23 Oct 2007 14:39:52 -0400 From: JF Mezei Subject: Re: Reboot Cisco from DCL script Message-ID: <84d8f$471e4000$cef8887a$8563@TEKSAVVY.COM> Another option to remotely control a device would be SNMP. Many devices support SNMP commands for a reboot. You can use the TCPIP$SNMP_REQUEST.EXE utility which was well documented in the 5.0 docs but later removed from the documentation. This would offer a "cleaner" interface at run time, one command with all parameters on the same line and no scripts that can fail due to unexpected prompt etc), but would take more time to setup (find the proper incantation with the right long dotted numeric sequence to trigger the reboot as well as configure the Cisco unit to accept such requests from your host/community. ------------------------------ Date: Tue, 23 Oct 2007 14:58:48 -0400 From: JF Mezei Subject: Restarting Mozilla to where I was before Message-ID: <447c6$471e446f$cef8887a$28456@TEKSAVVY.COM> Due to Mozilla leaking memory like a rotten row boat full of cracks, I find myself having to exit Mozilla at some point because it slows down to a crawl (the pGFLquo goes down to 0, Mozilla still runs, but is extremely slow, even for stuff that shouldn't require more memory). The problem is that if you have browser windows with many "important" tabs, it takes a long time to record all the URLs, then exit mozilla and re-enter those URLs. Does anyone have tricks on how to save Mozilla environment and then rebuiold it once Mozilla is restarted ? For short URLs, a quick cut/paste into a decterm is usually enough to be able to rebuild it later. But for very long URLs, it isn't so simple. ------------------------------ Date: Tue, 23 Oct 2007 20:57:32 GMT From: =?ISO-8859-1?Q?Jan-Erik_S=F6derholm?= Subject: Re: Restarting Mozilla to where I was before Message-ID: <0ftTi.12064$ZA.7823@newsb.telia.net> JF Mezei wrote: > Due to Mozilla leaking memory like a rotten row > boat full of cracks,... That's funny, I have my Mozilla/Firefox up all day long, newer needs any restart until I shut down my Win-XP box in the evening... ------------------------------ Date: Tue, 23 Oct 2007 16:10:07 -0500 From: Ron Johnson Subject: Re: Restarting Mozilla to where I was before Message-ID: On 10/23/07 13:58, JF Mezei wrote: > Due to Mozilla leaking memory like a rotten row boat full of cracks, I > find myself having to exit Mozilla at some point because it slows down > to a crawl (the pGFLquo goes down to 0, Mozilla still runs, but is > extremely slow, even for stuff that shouldn't require more memory). > > The problem is that if you have browser windows with many "important" > tabs, it takes a long time to record all the URLs, then exit mozilla and > re-enter those URLs. > > Does anyone have tricks on how to save Mozilla environment and then > rebuiold it once Mozilla is restarted ? > > For short URLs, a quick cut/paste into a decterm is usually enough to be > able to rebuild it later. But for very long URLs, it isn't so simple. I'm not certain about Mozilla anymore, but in FF you rudely kill it from a separate process. Then when you restart it, FF asks if you want to restore existing pages. -- Ron Johnson, Jr. Jefferson LA USA Give a man a fish, and he eats for a day. Hit him with a fish, and he goes away for good! ------------------------------ Date: Wed, 24 Oct 2007 00:27:17 GMT From: winston@SSRL.SLAC.STANFORD.EDU (Alan Winston - SSRL Central Computing) Subject: Re: Restarting Mozilla to where I was before Message-ID: <00A6F922.6C359743@SSRL.SLAC.STANFORD.EDU> In article <0ftTi.12064$ZA.7823@newsb.telia.net>, =?ISO-8859-1?Q?Jan-Erik_S=F6derholm?= writes: >JF Mezei wrote: > >> Due to Mozilla leaking memory like a rotten row > > boat full of cracks,... > >That's funny, I have my Mozilla/Firefox up all day long, >newer needs any restart until I shut down my Win-XP box >in the evening... Actually, I'm running the most recent Firefox on a fully-patched Win-XP box (which would be a fine answer to JF's question, since it lets you bookmark tab groups or snapshots your open windows and tabs every so often and rebuilds them if restarted) and after a while I get hideous system slowdowns that are 'cured' by shutting down Firefox and bringing it back. (When the slowdowns occur, I see 100% CPU for seconds at a time; I presume this is actually something like pagefile fragmentation which is resolved when Firefox lets go of everything.) -- Alan ------------------------------ Date: 23 Oct 2007 14:35:38 -0400 From: Rich Alderson Subject: Re: SUBMIT command Message-ID: bill@cs.uofs.edu (Bill Gunshannon) writes: > In article , > Kilgallen@SpamCop.net (Larry Kilgallen) writes: >> There are lots of things VMS considers to be security relevant >> where Unix does not care. > So you think requiring elevated proviledges is less of a security > threat? Of course, absent password sharing, "elevated privileges" is the way such things are done in a modern Unix as well. -- Rich Alderson "You get what anybody gets. You get a lifetime." news@alderson.users.panix.com --Death, of the Endless ------------------------------ Date: 23 Oct 2007 18:51:47 GMT From: bill@cs.uofs.edu (Bill Gunshannon) Subject: Re: SUBMIT command Message-ID: <5o6u63Flgv9mU2@mid.individual.net> In article , Rich Alderson writes: > bill@cs.uofs.edu (Bill Gunshannon) writes: > >> In article , >> Kilgallen@SpamCop.net (Larry Kilgallen) writes: > >>> There are lots of things VMS considers to be security relevant >>> where Unix does not care. > >> So you think requiring elevated proviledges is less of a security >> threat? > > Of course, absent password sharing, "elevated privileges" is the way such > things are done in a modern Unix as well. Ridiculous. As Unix only has two real levels of priviledge one would have to be an idiot to give a regular user elevated priviledges. Given a good, real explanation of the problem a true Unix solution not requiring elevated priviliedges could undoubtedly be found. bill -- Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves bill@cs.scranton.edu | and a sheep voting on what's for dinner. University of Scranton | Scranton, Pennsylvania | #include ------------------------------ Date: Tue, 23 Oct 2007 12:47:06 -0700 From: Doug Phillips Subject: Re: SUBMIT command Message-ID: <1193168826.737884.26220@v29g2000prd.googlegroups.com> On Oct 23, 12:31 pm, b...@cs.uofs.edu (Bill Gunshannon) wrote: > In article , > Kilgal...@SpamCop.net (Larry Kilgallen) writes: > > In article <5o6l41Fktd8...@mid.individual.net>, b...@cs.uofs.edu (Bill Gunshannon) writes: > >> In article <4$VTv9Rz+...@eisner.encompasserve.org>, > >> bri...@encompasserve.org writes: > >>> In article <1193153254.512670.15...@t8g2000prg.googlegroups.com>, a13...@yahoo.com writes: > >>>> What kind privileges I need to check? > > >>> $ HELP SUBMIT /USER > >>> SUBMIT > > >>> /USER > > >>> /USER=username > > >>> Requires CMKRNL (change mode to kernel) privilege and read (R) > >>> and write (W) access to the user authorization file (UAF). > > >> Ohmigod!!!! There is actually something that Unix can do that > >> VMS can't do (at least not without elevated priviledges on the > >> VMS side!!) > > > There are lots of things VMS considers to be security relevant > > where Unix does not care. > > So you think requiring elevated proviledges is less of a security > threat? Absolutely! To run a job as another user on VMS, you must be authorized to do so. Apparently on *nix, you just need to know a password. On any pass-word protected system, anyone who knows a user's password can log in as that user. Is that "built-in" security? > Or is the VMS answer simply, "We won't let you do that." > (Actually, that is the usual answer to any user request from the > VMS shop here, so maybe it is the norm!!) > The OP question of "how" needs an answer to the question of "why." If user "notscott" needs to submit a job as "scott" then I'd say there's something wrong with the site's security model. VMS offers many ways to achieve any such legitimate result without using impersonation. I have never found a sound reason for one user to impersonate another in a production environment except at the administration level. A person must be authorized to do something or "we won't let them do that" and that's the way it should be. How can anyone interested in keeping a secure system find fault with that? Maybe the OP found a scott-owned batch job that scott claims he didn't submit? We don't know because the question of what problem the OP is trying to solve hasn't been answered. ------------------------------ Date: Tue, 23 Oct 2007 16:21:46 -0400 From: JF Mezei Subject: Re: SUBMIT command Message-ID: <4de54$471e57db$cef8887a$17324@TEKSAVVY.COM> Doug Phillips wrote: > Absolutely! To run a job as another user on VMS, you must be > authorized to do so. Are there not any remnants of the punched card days where you could specify username/password to create a batch job running under that user ? (is it the $DECK stuff ?) Of course, you can use DECNET to create a task under any username/password combo. eg: NODE"user pass"::"0=TEST" ------------------------------ Date: Tue, 23 Oct 2007 16:02:00 -0500 From: Ron Johnson Subject: Re: SUBMIT command Message-ID: On 10/23/07 11:17, Bill Gunshannon wrote: > In article <4$VTv9Rz+Npg@eisner.encompasserve.org>, > briggs@encompasserve.org writes: >> In article , a13365@yahoo.com writes: >>> What kind privileges I need to check? >> $ HELP SUBMIT /USER >> SUBMIT >> >> /USER >> >> /USER=username >> >> Requires CMKRNL (change mode to kernel) privilege and read (R) >> and write (W) access to the user authorization file (UAF). > > Ohmigod!!!! There is actually something that Unix can do that > VMS can't do (at least not without elevated priviledges on the > VMS side!!) It would be kinda awkward for a batch job to prompt for a password. Anyway, submitting a job under some other meatbag's username is frowned upon at our site. -- Ron Johnson, Jr. Jefferson LA USA Give a man a fish, and he eats for a day. Hit him with a fish, and he goes away for good! ------------------------------ Date: Tue, 23 Oct 2007 16:06:36 -0500 From: Ron Johnson Subject: Re: SUBMIT command Message-ID: On 10/23/07 13:35, Rich Alderson wrote: > bill@cs.uofs.edu (Bill Gunshannon) writes: > >> In article , >> Kilgallen@SpamCop.net (Larry Kilgallen) writes: > >>> There are lots of things VMS considers to be security relevant >>> where Unix does not care. > >> So you think requiring elevated proviledges is less of a security >> threat? > > Of course, absent password sharing, "elevated privileges" is the way such > things are done in a modern Unix as well. sudo and /etc/sudoers. The sysadmin gives specific users specific permission to run specific programs. -- Ron Johnson, Jr. Jefferson LA USA Give a man a fish, and he eats for a day. Hit him with a fish, and he goes away for good! ------------------------------ Date: Tue, 23 Oct 2007 15:31:20 -0700 From: Doug Phillips Subject: Re: SUBMIT command Message-ID: <1193178680.861755.236090@t8g2000prg.googlegroups.com> On Oct 23, 3:21 pm, JF Mezei wrote: > Doug Phillips wrote: > > Absolutely! To run a job as another user on VMS, you must be > > authorized to do so. > > Are there not any remnants of the punched card days where you could > specify username/password to create a batch job running under that user > ? (is it the $DECK stuff ?) > > Of course, you can use DECNET to create a task under any > username/password combo. eg: NODE"user pass"::"0=TEST" Don't know. All of my punched card days (with one brief exception) were spent with IBM mainframes. A punched card type of batch process would probably not be run by a "normal" user, though, but by an operator with priv's sufficient to operate the system or be submitted by a system-like account. If the batch mechanism you mention (not the DECnet stuff -- that's different) still exists, I've never seen nor used it. A "normal" user should never have a reason to do *anything* under another user's name or to know another user's password in order to do their own work. Period. One of the really great things about VMS is that you can do pretty much anything you want, security wise. You can open up or restrict it however and as much as you want or need to. In other words, with VMS you have all of the choices. You can run with zero to near-maximum security and anywhere between by using the tools that come with it. You aren't forced to compensate or make compromises. You just need to understand the tools. Since I don't work with any "modern" *nix/*nux in anything other than a play-toy environment, I don't know all of its security tricks, strengths or weaknesses, so I won't enter into that war. Heck, even after all these years I'm still learning things about VMS! ------------------------------ Date: Tue, 23 Oct 2007 23:02:47 GMT From: VAXman- @SendSpamHere.ORG Subject: Re: SUBMIT command Message-ID: In article , Ron Johnson writes: > > >On 10/23/07 13:35, Rich Alderson wrote: >> bill@cs.uofs.edu (Bill Gunshannon) writes: >> >>> In article , >>> Kilgallen@SpamCop.net (Larry Kilgallen) writes: >> >>>> There are lots of things VMS considers to be security relevant >>>> where Unix does not care. >> >>> So you think requiring elevated proviledges is less of a security >>> threat? >> >> Of course, absent password sharing, "elevated privileges" is the way such >> things are done in a modern Unix as well. > >sudo and /etc/sudoers. > >The sysadmin gives specific users specific permission to run >specific programs. I only wish that I could enter 'sudo' and type my password and then stay in a context where I could do multiple commands with the 'sudo' authorized privies. i.e. % sudo Password: ****** sudo% command sudo% command sudo% command sudo% exit -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM "Well my son, life is like a beanstalk, isn't it?" http://tmesis.com/drat.html ------------------------------ Date: 23 Oct 2007 23:09:42 GMT From: bill@cs.uofs.edu (Bill Gunshannon) Subject: Re: SUBMIT command Message-ID: <5o7d9lFkmdm3U1@mid.individual.net> In article , VAXman- @SendSpamHere.ORG writes: > In article , Ron Johnson writes: >> >> >>On 10/23/07 13:35, Rich Alderson wrote: >>> bill@cs.uofs.edu (Bill Gunshannon) writes: >>> >>>> In article , >>>> Kilgallen@SpamCop.net (Larry Kilgallen) writes: >>> >>>>> There are lots of things VMS considers to be security relevant >>>>> where Unix does not care. >>> >>>> So you think requiring elevated proviledges is less of a security >>>> threat? >>> >>> Of course, absent password sharing, "elevated privileges" is the way such >>> things are done in a modern Unix as well. >> >>sudo and /etc/sudoers. >> >>The sysadmin gives specific users specific permission to run >>specific programs. > > > I only wish that I could enter 'sudo' and type my password and then > stay in a context where I could do multiple commands with the 'sudo' > authorized privies. > > i.e. > > % sudo > Password: ****** > sudo% command > sudo% command > sudo% command > sudo% exit Well, sudo is for specific commands and not general use. But it wouldn't take much to provide a menu that had more than one command available at any given time. If you are looking for general command execution use plain "su". bill -- Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves bill@cs.scranton.edu | and a sheep voting on what's for dinner. University of Scranton | Scranton, Pennsylvania | #include ------------------------------ Date: Tue, 23 Oct 2007 23:14:53 GMT From: Rob Brown Subject: Re: SUBMIT command Message-ID: On Tue, 23 Oct 2007 VAXman-@SendSpamHere.ORG wrote: > I only wish that I could enter 'sudo' and type my password and then > stay in a context where I could do multiple commands with the 'sudo' > authorized privies. > > i.e. > > % sudo > Password: ****** > sudo% command > sudo% command > sudo% command > sudo% exit On my system, "sudo -s" does that. I think, however, that none of the subsequent commands are logged like they would have been if you had done "sudo command". -- Rob Brown b r o w n a t g m c l d o t c o m G. Michaels Consulting Ltd. (780)438-9343 (voice) Edmonton (780)437-3367 (FAX) http://gmcl.com/ ------------------------------ Date: 23 Oct 2007 23:15:57 GMT From: bill@cs.uofs.edu (Bill Gunshannon) Subject: Re: SUBMIT command Message-ID: <5o7dldFkmdm3U2@mid.individual.net> In article <1193168826.737884.26220@v29g2000prd.googlegroups.com>, Doug Phillips writes: > On Oct 23, 12:31 pm, b...@cs.uofs.edu (Bill Gunshannon) wrote: >> In article , >> Kilgal...@SpamCop.net (Larry Kilgallen) writes: >> > In article <5o6l41Fktd8...@mid.individual.net>, b...@cs.uofs.edu (Bill Gunshannon) writes: >> >> In article <4$VTv9Rz+...@eisner.encompasserve.org>, >> >> bri...@encompasserve.org writes: >> >>> In article <1193153254.512670.15...@t8g2000prg.googlegroups.com>, a13...@yahoo.com writes: >> >>>> What kind privileges I need to check? >> >> >>> $ HELP SUBMIT /USER >> >>> SUBMIT >> >> >>> /USER >> >> >>> /USER=username >> >> >>> Requires CMKRNL (change mode to kernel) privilege and read (R) >> >>> and write (W) access to the user authorization file (UAF). >> >> >> Ohmigod!!!! There is actually something that Unix can do that >> >> VMS can't do (at least not without elevated priviledges on the >> >> VMS side!!) >> >> > There are lots of things VMS considers to be security relevant >> > where Unix does not care. >> >> So you think requiring elevated proviledges is less of a security >> threat? > > Absolutely! To run a job as another user on VMS, you must be > authorized to do so. Apparently on *nix, you just need to know a > password. On any pass-word protected system, anyone who knows a user's > password can log in as that user. Is that "built-in" security? > >> Or is the VMS answer simply, "We won't let you do that." >> (Actually, that is the usual answer to any user request from the >> VMS shop here, so maybe it is the norm!!) >> > > The OP question of "how" needs an answer to the question of "why." That's why I said more info was needed in order to devise a suitable and secure method to accomplish it. > If > user "notscott" needs to submit a job as "scott" then I'd say there's > something wrong with the site's security model. VMS offers many ways > to achieve any such legitimate result without using impersonation. I > have never found a sound reason for one user to impersonate another in > a production environment except at the administration level. > > A person must be authorized to do something or "we won't let them do > that" and that's the way it should be. How can anyone interested in > keeping a secure system find fault with that? > > Maybe the OP found a scott-owned batch job that scott claims he didn't > submit? We don't know because the question of what problem the OP is > trying to solve hasn't been answered. > bill -- Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves bill@cs.scranton.edu | and a sheep voting on what's for dinner. University of Scranton | Scranton, Pennsylvania | #include ------------------------------ Date: Tue, 23 Oct 2007 23:33:06 GMT From: Rob Brown Subject: Re: SUBMIT command Message-ID: On Tue, 23 Oct 2007, JF Mezei wrote: > Are there not any remnants of the punched card days where you could > specify username/password to create a batch job running under that > user ? (is it the $DECK stuff ?) According to the System Manager's Guide and the DCL Dictionary, you need a $JOB card to specify the username and a $PASSWORD card to specify the password. -- Rob Brown b r o w n a t g m c l d o t c o m G. Michaels Consulting Ltd. (780)438-9343 (voice) Edmonton (780)437-3367 (FAX) http://gmcl.com/ ------------------------------ Date: Tue, 23 Oct 2007 20:50:12 -0500 From: Ron Johnson Subject: Re: SUBMIT command Message-ID: On 10/23/07 17:31, Doug Phillips wrote: [snip] > > Don't know. All of my punched card days (with one brief exception) > were spent with IBM mainframes. > > A punched card type of batch process would probably not be run by a > "normal" user, though, but by an operator with priv's sufficient to > operate the system or be submitted by a system-like account. If the But all batch jobs are "punched card type of batch process", since a .COM file is a pseudo-deck. -- Ron Johnson, Jr. Jefferson LA USA Give a man a fish, and he eats for a day. Hit him with a fish, and he goes away for good! ------------------------------ Date: Tue, 23 Oct 2007 22:25:03 -0400 From: JF Mezei Subject: Re: SUBMIT command Message-ID: <83f4a$471ead00$cef8887a$6198@TEKSAVVY.COM> Ron Johnson wrote: > But all batch jobs are "punched card type of batch process", since a > .COM file is a pseudo-deck. > On MVS (or whatever it is called this week), this is the case. But on VMS, this is not quite the case. On VMS, a batch entry is a glorified pointer to a file. So when a batch job starts, it reads from that file. I have to assume that for VMS "punched card" stuff, there would have been some detached process controlling the hardware reader and it was that detached process that would have copied the cards to some temporary files that would have then been submitted. (is that correct ?) ------------------------------ Date: Tue, 23 Oct 2007 21:53:38 -0500 From: Ron Johnson Subject: Re: SUBMIT command Message-ID: On 10/23/07 21:25, JF Mezei wrote: > Ron Johnson wrote: >> But all batch jobs are "punched card type of batch process", since a >> .COM file is a pseudo-deck. >> > > On MVS (or whatever it is called this week), this is the case. But on > VMS, this is not quite the case. > > On VMS, a batch entry is a glorified pointer to a file. So when a batch > job starts, it reads from that file. > > I have to assume that for VMS "punched card" stuff, there would have > been some detached process controlling the hardware reader and it was > that detached process that would have copied the cards to some temporary > files that would have then been submitted. (is that correct ?) OTOH, the $ that leads all "command" lines serves the same function as JCL's //, and data rows act just like they do in a card deck. $ SET VER $ RUN SYS$LOGIN:SOMEPROG.EXE DATA 1 MORE DATA LOTS OF DATA EVEN MORE DATA $! END OF STREAM $ EXIT If it looks like a deck, acts like a deck and quacks like a deck, it's a card deck. -- Ron Johnson, Jr. Jefferson LA USA Give a man a fish, and he eats for a day. Hit him with a fish, and he goes away for good! ------------------------------ Date: 23 Oct 2007 14:32:43 -0400 From: Rich Alderson Subject: Re: unix "batch processing" Message-ID: bill@cs.uofs.edu (Bill Gunshannon) writes: > In article , > Kilgallen@SpamCop.net (Larry Kilgallen) writes: >> If you want to fully share access, then create usernames with a shared >> UIC. They have the same rights to data but separate audit identities. > If I am correct, that would be the same as a Unix Group. But that > wasn't what the requestor was asking about. He wanted to run something > as another user. Not quite the same as a Unix group, which functions much like an RSX-11 or Tops-10 "project" (as in project-programmer number); I believe that VMS (used to) call UIC's by that name, too. The Unix equivalent to Mr. Kilgallen's suggestion is assigning the same numeric userid (uid) to two different usernames in the password file. -- Rich Alderson "You get what anybody gets. You get a lifetime." news@alderson.users.panix.com --Death, of the Endless ------------------------------ Date: 23 Oct 2007 18:48:46 GMT From: bill@cs.uofs.edu (Bill Gunshannon) Subject: Re: unix "batch processing" Message-ID: <5o6u0eFlgv9mU1@mid.individual.net> In article , Rich Alderson writes: > bill@cs.uofs.edu (Bill Gunshannon) writes: > >> In article , >> Kilgallen@SpamCop.net (Larry Kilgallen) writes: > >>> If you want to fully share access, then create usernames with a shared >>> UIC. They have the same rights to data but separate audit identities. > >> If I am correct, that would be the same as a Unix Group. But that >> wasn't what the requestor was asking about. He wanted to run something >> as another user. > > Not quite the same as a Unix group, which functions much like an RSX-11 or > Tops-10 "project" (as in project-programmer number); I believe that VMS (used > to) call UIC's by that name, too. > > The Unix equivalent to Mr. Kilgallen's suggestion is assigning the same numeric > userid (uid) to two different usernames in the password file. I certainly hope not as that would be an accounting nightmare and little different than sharing passwords. The only user that would ever show up is the first one (sequentially) in the password file. The only time the second (or subsequent) username (as opposed to uid) would be used is by the login process. VMS has UIDs and UICs (right?). The only equivalent in Unix would be uid and gid. Groups were never fully implemented (I beleive Dennis Ritchie has some papers ont he web somewhere explaining why) and as such do not offer the full capabilities you get with VMS UIC's. To be honest, like most of the questions of the type, "How do I do VMS function X under Unix?" It would probably be better if the asker just described what it was they were trying to accomplish with out couching it in terms of VMS and let someone who knows Unix give them a real answer. Of course, they should probably be asking it in a Unix newsgroup as well as the track record on Unix advice here has never been all that good. bill -- Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves bill@cs.scranton.edu | and a sheep voting on what's for dinner. University of Scranton | Scranton, Pennsylvania | #include ------------------------------ Date: Wed, 24 Oct 2007 00:18:08 GMT From: winston@SSRL.SLAC.STANFORD.EDU (Alan Winston - SSRL Central Computing) Subject: ZLXp-E3 and DS10 and VMS 8.3 Message-ID: <00A6F921.25058BCC@SSRL.SLAC.STANFORD.EDU> Gang -- I have a DS10 (not the one I just won, which is a DS10L; this is for work). It's just out of the box and has never run here. We bought it without a a graphics adapter. I was given a card marked PBXGA-CA, which I was able to put in the short PCI slot. Googling suggests this card is a ZLXp-E3 This doesn't seem to be listed in the OpenVMS SPD 8.3, which lists: Graphics Options PBXGK ELSA/GLoria Synergy+ graphics option that provides 2D acceleration for supported PCI-based Alpha Workstations and Servers. PBXGD PowerStorm 300/500 graphics option that provides 3D acceleration or 3D acceleration with stereo viewing capabilities for supported PCI-based Alpha Workstations and Servers. PBXGF 3DLabs OXYGEN VX1 graphics option that provides 2D acceleration for supported PCI-based Alpha Workstations and Servers. PBXGG ATI RADEON 7500 2D and 3D, PCI and AGP graphics option. None of which are PBXGA-CAs, to be sure. I find that the ZLXp-E3 is called out by name in the DECwindows for VMS 1.2-5 release notes, in a way that implies that you can use the ZLXp-E3, thus: V1.2--3 The latest version of the Window Manager (MWM) is modified to support overlays and utilize additional planes of memory, which are available on several 3D graphics accelerators: ZLX-M1, ZLX-M2, ZLX- L1, ZLX-E2, ZLX-E3, ZLXp-E2, and ZLXp-E3. The Window Manager places borders and banners for all the windows into these extra planes of memory and thereby reduces the number of expose events for your applications that use overlays. ---------------------------------------------------------------------------- My questions: Should my DS10 know how to drive this card well enough to use it for the console when booting? (Currently, a video cable running from the card to a a Raritan switch shows no signal on the card when I boot the system, but I could have screwed that up any number of ways.) What do the dip switches on the card mean and how should they be set? Will this card function to drive a DECwindows-type console under VMS 8.3? Should I bag this and get a Radeon? Thanks, -- Alan ------------------------------ Date: Tue, 23 Oct 2007 19:33:48 -0500 (CDT) From: sms@antinode.org (Steven M. Schweda) Subject: Re: ZLXp-E3 and DS10 and VMS 8.3 Message-ID: <07102319334836_202002A8@antinode.org> From: winston@SSRL.SLAC.STANFORD.EDU (Alan Winston - SSRL Central Computing) > I have a DS10 (not the one I just won, which is a DS10L; this is for work). > It's just out of the box and has never run here. We bought it without a > a graphics adapter. I was given a card marked PBXGA-CA, > which I was able to put in the short PCI slot. > > Googling suggests this card is a ZLXp-E3 Soinds right to me. > This doesn't seem to be listed in the OpenVMS SPD 8.3, which lists: > [...] It's too old to be tested any more. I used them in my AlpSta 200 4/233 systems when they were "new". > Should my DS10 know how to drive this card well enough to use it for the > console when booting? (Currently, a video cable running from the card to a > a Raritan switch shows no signal on the card when I boot the system, but I > could have screwed that up any number of ways.) I wouldn't bet on it. I generally replaced my PBXGA cards with ELSA GLoria Synergy-8 cards, rather than promoting them into my XP1000 systems, so if I ever did try one there, I've forgotten the outcome. I have a dim recollection of problems using a PBXGA in my (now disused) PWS 500a[u], however, which leads me to doubt the likelihood of success in an XP1000. Does SRM "show config" name the thing? > What do the dip switches on the card mean Keep searching with Google, and you should find: http://antinode.org/dec/pbxga_settings.html > and how should they be set? Depends on your display's capabilities. > Will this card function to drive a DECwindows-type console under VMS 8.3? Probably on old hardware, unknown on a modern system (PWS or newer). > Should I bag this and get a Radeon? Most likely. The XP1000 seems to like those. ------------------------------------------------------------------------ Steven M. Schweda sms@antinode-org 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 ------------------------------ Date: Tue, 23 Oct 2007 20:47:55 -0500 From: Ron Johnson Subject: Re: [OT] sudo Message-ID: On 10/23/07 18:32, bradhamilton wrote: > VAXman- @SendSpamHere.ORG wrote: >> In article , Ron Johnson >> writes: > [...] >> I only wish that I could enter 'sudo' and type my password and then >> stay in a context where I could do multiple commands with the 'sudo' >> authorized privies. >> i.e. >> >> % sudo >> Password: ****** >> sudo% command >> sudo% command >> sudo% command >> sudo% exit > > On the Linux distro I use on my laptop (Ubuntu), I think that sudo is > "timeout-controlled"; i.e., I can enter several "sudo" commands in quick > succession without re-entering the password each time, but if I wait for > a(n) (unknown) period of time, I have to enter a password on the > subsequent "sudo" command. $ man 5 sudoers Number of minutes that can elapse before sudo will ask for a passwd again. The default is 15. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively. -- Ron Johnson, Jr. Jefferson LA USA Give a man a fish, and he eats for a day. Hit him with a fish, and he goes away for good! ------------------------------ Date: Tue, 23 Oct 2007 19:32:07 -0400 From: bradhamilton Subject: [OT] sudo (was:Re: SUBMIT command) Message-ID: <471E8477.1070802@comcast.net> VAXman- @SendSpamHere.ORG wrote: > In article , Ron Johnson writes: [...] > I only wish that I could enter 'sudo' and type my password and then > stay in a context where I could do multiple commands with the 'sudo' > authorized privies. > > i.e. > > % sudo > Password: ****** > sudo% command > sudo% command > sudo% command > sudo% exit On the Linux distro I use on my laptop (Ubuntu), I think that sudo is "timeout-controlled"; i.e., I can enter several "sudo" commands in quick succession without re-entering the password each time, but if I wait for a(n) (unknown) period of time, I have to enter a password on the subsequent "sudo" command. ------------------------------ Date: Wed, 24 Oct 2007 05:35:43 +0200 From: "P. Sture" Subject: Re: [OT] sudo (was:Re: SUBMIT command) Message-ID: In article <471E8477.1070802@comcast.net>, bradhamilton wrote: > VAXman- @SendSpamHere.ORG wrote: > > In article , Ron Johnson > > writes: > [...] > > I only wish that I could enter 'sudo' and type my password and then > > stay in a context where I could do multiple commands with the 'sudo' > > authorized privies. > > > > i.e. > > > > % sudo > > Password: ****** > > sudo% command > > sudo% command > > sudo% command > > sudo% exit > > On the Linux distro I use on my laptop (Ubuntu), I think that sudo is > "timeout-controlled"; i.e., I can enter several "sudo" commands in quick > succession without re-entering the password each time, but if I wait for > a(n) (unknown) period of time, I have to enter a password on the > subsequent "sudo" command. Ditto on OS X. From 'man sudo': "Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (5 minutes unless overridden in sudoers)." There is also 'sudo -k' which cancels the above timestamp, so that you can do: sudo command1 Password: ****** sudo command2 sudo command3 sudo -k # kill the sudo timestamp sudo command4 Password: ****** -- Paul Sture Sue's OpenVMS bookmarks: http://eisner.encompasserve.org/~sture/ovms-bookmarks.html ------------------------------ End of INFO-VAX 2007.581 ************************