HPE Community
Operating System - OpenVMS
1751894 Members
4927 Online
108783 Solutions
New Discussion юеВ

Re: "Hidden" Logicals.

 
SOLVED
Go to solution
The Brit
Honored Contributor

тАО07-09-2008 07:40 AM

тАО07-09-2008 07:40 AM

"Hidden" Logicals.

Is there any way that the translation of logical names can be hidden from non-privileged users, i.e. from users who don't have at least SYSPRV (say)?

Dave.
0 Kudos
7 REPLIES 7
Hoff
Honored Contributor

тАО07-09-2008 07:54 AM

тАО07-09-2008 07:54 AM

Solution

Re: "Hidden" Logicals.

Those defined in the process-level table tend to be harder to view.

You might be able to create a (very protected) and private and shared logical name table, and stuff the logical names there. (I've not tried this, but it may well provide what you want.)

Logical names, filenames, email addresses and other security-relevant object names are usually expected to be user visible. Sometimes even visible off-node -- you can often view system logical names from a remote host via DECnet, for instance.

Maintaining my hammerlock on the obvious, I'm guessing you're storing something sensitive here such as a password, and there might be an alternative solution. Certificates or proxies, for instance, might be useful for certain cases.


Robert Gezelter
Honored Contributor

тАО07-09-2008 08:09 AM

тАО07-09-2008 08:09 AM

Re: "Hidden" Logicals.

Dave,

Can you give a more precise definition of what is desired. Certainly, it is possible to protect different logical name tables, and name tables other than LNM$PROCESS, LNM$JOB, LNM$GROUP, AND LNM$SYSTEM can be included in the translation sequence (see the "Programming Concepts" manual, or my OpenVMS Technical Journal article "Inheritance Based Environments in Stand-alone OpenVMS Systems and OpenVMS Clusters", available from http://www.rlgsc.com/publications/vmstechjournal/inheritance.html ).

Do you want the translation to work, but the name not be accessible?

- Bob Gezelter, http://www.rlgsc.com
Willem Grooters
Honored Contributor

тАО07-09-2008 12:54 PM

тАО07-09-2008 12:54 PM

Re: "Hidden" Logicals.

Making the translation invisible by non-authorized users will probably also mean that they cannot be used either. It might be a desired side-effect, or it may not.

For instance: referring to a directory referred to by logical "APPL_DATA" will allow a program to access datafile "APPL_DATA:INVENTORY.DAT". Restrictin access to the logical's value (= translation) will disallow this access, unless the programn runs in an environment that does have access to the logical.
Willem Grooters
OpenVMS Developer & System Manager
John Gillings
Honored Contributor

тАО07-09-2008 04:42 PM

тАО07-09-2008 04:42 PM

Re: "Hidden" Logicals.

Dave,

/TRANSLATION=TERMINAL will prevent a logical name from being translated automatically, but it won't hide the translation from a SHOW LOGICAL or $TRNLNM request. It also requires that the equivalence name be expressed only in physical device names.

As others have pointed out, it's easy to hide logical names, just put them in a protected table. But then from the perspective of users from whom they're hidden, they don't exist at all!

If you want someone to be able to use a logical name, they must, by definition, be able to see the translation.

A crucible of informative mistakes
Peter Barkas
Regular Advisor

тАО07-10-2008 04:31 AM

тАО07-10-2008 04:31 AM

Re: "Hidden" Logicals.

It is not entirely clear what you are trying to achieve.

If a logical name and/or table is protected from a user with 'user' privileges the user can't see it but if the user executes a program which is installed with the privilege required to access the name/table then perhaps you can achieve what you want?
0 Kudos
The Brit
Honored Contributor

тАО07-10-2008 05:38 AM

тАО07-10-2008 05:38 AM

Re: "Hidden" Logicals.

Thanks for the responses guys. Actually, what I had in mind was the idea that a logical could be defined with a qualifier like "/Hidden" which would only allow translation by a process which had, say, SECURITY privilege (which could be given to any process which required the translation).

I was hoping that there might be some obscure method that I had missed, but apparently not.

I appreciate the suggestions re. using a secured logical name table, and I will investigate that. My problem is that whatever solution I come up with must be implemented without affecting an existing legacy application.

Of course, Hoff pointed out the reason for investigating this, "sensitive info"

anyway thanks again.

Dave


The Brit
Honored Contributor

тАО07-10-2008 05:41 AM

тАО07-10-2008 05:41 AM

Re: "Hidden" Logicals.

Thanks
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.