topic Re: Logical Name Table Protection in Operating System - OpenVMS

Logical Name Table Protection

Robert Atkinson — Mon, 06 Nov 2006 08:29:49 GMT

Any idea how I change the protection on this Group Name Table to (G:RW) permanently?

Do I need to put something into SYSECURITY.COM?

(LNM$GROUP_000310) [kernel] [shareable,group]
[Protection=(RWCD,R,R,)] [Owner=[ITDEVMT,*]]

Rob.

Re: Logical Name Table Protection

Volker Halle — Mon, 06 Nov 2006 08:40:41 GMT

Rob,

putting the commands in SYSECURITY.COM won't help, as this group table would probably not yet exists at startup time.

The group logical name table get created, once the first user in that group logs in.

You might want to submit a batch-job under a user of this group during startup and then set the protection of the group table from a privileged user, once the batch job has finished and the group table has been created.

Volker.

Re: Logical Name Table Protection

Robert Atkinson — Mon, 06 Nov 2006 08:48:43 GMT

Wow, that's pretty nasty.

You're definitely sure that's the only method? I'd check it out, but our test node's in use at the moment.

Rob.

Re: Logical Name Table Protection

Ian Miller. — Mon, 06 Nov 2006 08:53:23 GMT

Minimally the following will result in the group table being created.
$ run/det/inp=nl:/out=nl:/uic=[310,0] sys$system:loginout.exe

You can then the protection using the SET SECURITY command.

Re: Logical Name Table Protection

Robert Atkinson — Mon, 06 Nov 2006 08:55:00 GMT

OK, thanks Ian.

I'll add that to SYSECURITY and see what happens.

Rob.

Re: Logical Name Table Protection

Robert Gezelter — Mon, 06 Nov 2006 08:58:22 GMT

Rob,

There is nothing special about the group logical name table, merely that it be named correctly and entered in the correct place.

This is normally done when the first login from that group occurs, but a simple CREATE can accomplish the same thing during the startup process.

You may also reconsider granting the WRITE permission, and instead consider the use of an ACL with an explicit identifier, or the use of GRPPRV or GRPNAM. Either approach may will produce a higher safety level in many cases.

- Bob Gezelter, http://www.rlgsc.com

Re: Logical Name Table Protection

Ian Miller. — Mon, 06 Nov 2006 10:01:14 GMT

Using CREATE/NAME_TABLE will not create a table which has the same attributes as tables created by a process logging in
i.e. [kernel, no_alias]

(You can get a exec mode table with CREATE) I don't know if this makes any real difference.

Use of an identifier based protection scheme instead of UIC group does does give finer control but what is suitable for your use depends on your requirements.

Re: Logical Name Table Protection

Jan van den Ende — Wed, 08 Nov 2006 10:10:37 GMT

Rob,

>>>
I'll add that to SYSECURITY and see what happens.
<<<

Note that SYLOGICALS is executed even earlier, so, depending on your needs..

I agree with Bob, that ACLs are much more fine-grained, and perhaps better suited.
However, like Ian, I disagree with him on CREATE_TABLE. Creating the first process in a UIC group creates the kernel mode table, with no_alias, which even prevent, or overrules the effects of, a table in any non-kernel mode.

btw, what is so "pretty nasty" about creating a table before being able to manipulate its protection? To me it sounds more nasty if you could just reference a table, (eg, with SET PROT) and hen that reference would create it.
Process creation is the established VMS method for creating group logical name tables.

just my EUR 0.02

Proost.

Have one on me.

jpe

Re: Logical Name Table Protection

Robert Atkinson — Mon, 03 Sep 2007 10:21:54 GMT

Decided to submit a command from SYSTARTUP