| Title: | *OLD* ALL-IN-1 (tm) Support Conference |
| Notice: | Closed - See Note 4331.l to move to IOSG::ALL-IN-1 |
| Moderator: | IOSG::PYE |
| Created: | Thu Jan 30 1992 |
| Last Modified: | Tue Jan 23 1996 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 4343 |
| Total number of notes: | 18308 |
Hi,
Is there any way to restrict the ALL-IN-1 command to always and only
invoke ALL-IN-1 /NOINIT ?
We are in the middle of re-organising our main cluster so that
certain products only run on certain nodes. ALL-IN-1 will run fully on
2 out of the 5 nodes, but we do need to be able to use 'allin1/noinit'
on the remaining 3 (where various applications like to write reports
directly into ALL-IN-1 shared areas).
My first thought was to define a global symbol so that allin1 would
always translate to allin1/noinit. Then I realised that this could be
too easily circumvented by redefining the symbol, or using '/init' in
the command line.
My second thought was to have a crack at redefining the ALLIN1
command verb in the DCL tables. I did some experimenting on our test
system, and found that even when I commented out ALL the qualifiers
in a (copied) A1.CLD file, and popped it into the tables, I could still
happily invoke ALL-IN-1 interactively ! The only difference was that
it wouldn't accept any qualifiers added to the command verb, eg I could
do $ allin1, but I couldn't do $ allin1/form=wp etc.
My object is to securely restrict users on the 3 nodes to running
ALL-IN-1/noinit/user=/reenter ONLY. Can it be done ?
Thanks a lot,
Gil
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 394.1 | A slightly different approach | AIMTEC::PORTER_T | Terry Porter, ALL-IN-1 Support, Atlanta CSC | Wed Apr 01 1992 23:18 | 11 |
Presumably you can set up everyting the way you want except for /INIT. How about an OAINI.SCP in OA$LIB that contains .FX exit That will log anyone out of ALL-IN-1 immediately unless they use the /NOINIT qualifier. If you have removed all the other qualifiers then the user's should not be able to avoid running the OAINI.SCP Terry | |||||
| 394.2 | Insecure | IOSG::TALLETT | Just one more fix, then we can ship... | Thu Apr 02 1992 09:01 | 10 |
Hmmm. Whats to stop me saying RUN OA$IMAGE, or defining my own
DCL verb in my process? Doesn't sound very secure to me.
I think the only secure way would be to somehow use protections,
ACLs and installing things with privs, but I can't just think
how to do what you want!
Regards,
Paul
| |||||