Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

"Hidden" Logicals.

 
SOLVED
Go to solution
The Brit
Honored Contributor

"Hidden" Logicals.

Is there any way that the translation of logical names can be hidden from non-privileged users, i.e. from users who don't have at least SYSPRV (say)?

Dave.
7 REPLIES 7
Hoff
Honored Contributor
Solution

Re: "Hidden" Logicals.

Those defined in the process-level table tend to be harder to view.

You might be able to create a (very protected) and private and shared logical name table, and stuff the logical names there. (I've not tried this, but it may well provide what you want.)

Logical names, filenames, email addresses and other security-relevant object names are usually expected to be user visible. Sometimes even visible off-node -- you can often view system logical names from a remote host via DECnet, for instance.

Maintaining my hammerlock on the obvious, I'm guessing you're storing something sensitive here such as a password, and there might be an alternative solution. Certificates or proxies, for instance, might be useful for certain cases.


Robert Gezelter
Honored Contributor

Re: "Hidden" Logicals.

Dave,

Can you give a more precise definition of what is desired. Certainly, it is possible to protect different logical name tables, and name tables other than LNM$PROCESS, LNM$JOB, LNM$GROUP, AND LNM$SYSTEM can be included in the translation sequence (see the "Programming Concepts" manual, or my OpenVMS Technical Journal article "Inheritance Based Environments in Stand-alone OpenVMS Systems and OpenVMS Clusters", available from http://www.rlgsc.com/publications/vmstechjournal/inheritance.html ).

Do you want the translation to work, but the name not be accessible?

- Bob Gezelter, http://www.rlgsc.com
Willem Grooters
Honored Contributor

Re: "Hidden" Logicals.

Making the translation invisible by non-authorized users will probably also mean that they cannot be used either. It might be a desired side-effect, or it may not.

For instance: referring to a directory referred to by logical "APPL_DATA" will allow a program to access datafile "APPL_DATA:INVENTORY.DAT". Restrictin access to the logical's value (= translation) will disallow this access, unless the programn runs in an environment that does have access to the logical.
Willem Grooters
OpenVMS Developer & System Manager
John Gillings
Honored Contributor

Re: "Hidden" Logicals.

Dave,

/TRANSLATION=TERMINAL will prevent a logical name from being translated automatically, but it won't hide the translation from a SHOW LOGICAL or $TRNLNM request. It also requires that the equivalence name be expressed only in physical device names.

As others have pointed out, it's easy to hide logical names, just put them in a protected table. But then from the perspective of users from whom they're hidden, they don't exist at all!

If you want someone to be able to use a logical name, they must, by definition, be able to see the translation.

A crucible of informative mistakes
Peter Barkas
Regular Advisor

Re: "Hidden" Logicals.

It is not entirely clear what you are trying to achieve.

If a logical name and/or table is protected from a user with 'user' privileges the user can't see it but if the user executes a program which is installed with the privilege required to access the name/table then perhaps you can achieve what you want?
The Brit
Honored Contributor

Re: "Hidden" Logicals.

Thanks for the responses guys. Actually, what I had in mind was the idea that a logical could be defined with a qualifier like "/Hidden" which would only allow translation by a process which had, say, SECURITY privilege (which could be given to any process which required the translation).

I was hoping that there might be some obscure method that I had missed, but apparently not.

I appreciate the suggestions re. using a secured logical name table, and I will investigate that. My problem is that whatever solution I come up with must be implemented without affecting an existing legacy application.

Of course, Hoff pointed out the reason for investigating this, "sensitive info"

anyway thanks again.

Dave


The Brit
Honored Contributor

Re: "Hidden" Logicals.

Thanks