HPE Community
Operating System - OpenVMS
1828174 Members
2885 Online
109975 Solutions
New Discussion

Re: Logical Name Table Protection

 
SOLVED
Go to solution
Robert Atkinson
Respected Contributor

‎11-06-2006 12:29 AM

‎11-06-2006 12:29 AM

Logical Name Table Protection

Any idea how I change the protection on this Group Name Table to (G:RW) permanently?

Do I need to put something into SYSECURITY.COM?

(LNM$GROUP_000310) [kernel] [shareable,group]
[Protection=(RWCD,R,R,)] [Owner=[ITDEVMT,*]]

Rob.

0 Kudos
8 REPLIES 8
Volker Halle
Honored Contributor

‎11-06-2006 12:40 AM

‎11-06-2006 12:40 AM

Solution

Re: Logical Name Table Protection

Rob,

putting the commands in SYSECURITY.COM won't help, as this group table would probably not yet exists at startup time.

The group logical name table get created, once the first user in that group logs in.

You might want to submit a batch-job under a user of this group during startup and then set the protection of the group table from a privileged user, once the batch job has finished and the group table has been created.

Volker.
0 Kudos
Robert Atkinson
Respected Contributor

‎11-06-2006 12:48 AM

‎11-06-2006 12:48 AM

Re: Logical Name Table Protection

Wow, that's pretty nasty.

You're definitely sure that's the only method? I'd check it out, but our test node's in use at the moment.

Rob.
0 Kudos
Ian Miller.
Honored Contributor

‎11-06-2006 12:53 AM

‎11-06-2006 12:53 AM

Re: Logical Name Table Protection

Minimally the following will result in the group table being created.
$ run/det/inp=nl:/out=nl:/uic=[310,0] sys$system:loginout.exe

You can then the protection using the SET SECURITY command.
____________________
Purely Personal Opinion
0 Kudos
Robert Atkinson
Respected Contributor

‎11-06-2006 12:55 AM

‎11-06-2006 12:55 AM

Re: Logical Name Table Protection

OK, thanks Ian.

I'll add that to SYSECURITY and see what happens.

Rob.
0 Kudos
Robert Gezelter
Honored Contributor

‎11-06-2006 12:58 AM

‎11-06-2006 12:58 AM

Re: Logical Name Table Protection

Rob,

There is nothing special about the group logical name table, merely that it be named correctly and entered in the correct place.

This is normally done when the first login from that group occurs, but a simple CREATE can accomplish the same thing during the startup process.

You may also reconsider granting the WRITE permission, and instead consider the use of an ACL with an explicit identifier, or the use of GRPPRV or GRPNAM. Either approach may will produce a higher safety level in many cases.

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Ian Miller.
Honored Contributor

‎11-06-2006 02:01 AM

‎11-06-2006 02:01 AM

Re: Logical Name Table Protection

Using CREATE/NAME_TABLE will not create a table which has the same attributes as tables created by a process logging in
i.e. [kernel, no_alias]

(You can get a exec mode table with CREATE) I don't know if this makes any real difference.

Use of an identifier based protection scheme instead of UIC group does does give finer control but what is suitable for your use depends on your requirements.
____________________
Purely Personal Opinion
0 Kudos
Jan van den Ende
Honored Contributor

‎11-08-2006 02:10 AM

‎11-08-2006 02:10 AM

Re: Logical Name Table Protection

Rob,

>>>
I'll add that to SYSECURITY and see what happens.
<<<

Note that SYLOGICALS is executed even earlier, so, depending on your needs..

I agree with Bob, that ACLs are much more fine-grained, and perhaps better suited.
However, like Ian, I disagree with him on CREATE_TABLE. Creating the first process in a UIC group creates the kernel mode table, with no_alias, which even prevent, or overrules the effects of, a table in any non-kernel mode.

btw, what is so "pretty nasty" about creating a table before being able to manipulate its protection? To me it sounds more nasty if you could just reference a table, (eg, with SET PROT) and hen that reference would create it.
Process creation is the established VMS method for creating group logical name tables.

just my EUR 0.02

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Robert Atkinson
Respected Contributor

‎09-03-2007 03:21 AM

‎09-03-2007 03:21 AM

Re: Logical Name Table Protection

Decided to submit a command from SYSTARTUP
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.