Re: Unix file system ownership

Gil wrote: >I worked at a place where TSO IDs were T||employee-number >and VM IDs were V||employee-number. >So they could tell. That sounds like the Newfie joke about the farmer who proudly told his neighbor that he cut the tail off of his cows.so he could tell the black one from the brown one!

Re: Unix file system ownership

On Wed, 14 Jun 2023 19:30:06 -0500, John McKown wrote: >Look up Access Lists and the UNIX setfacl command. > >But having shred fulesystems where the UIDs and GIDs differ is just asking >for headaches. > If users are authorized to access various resources it shouldn't matter which system they use

Re: Unix file system ownership

Look up Access Lists and the UNIX setfacl command. But having shred fulesystems where the UIDs and GIDs differ is just asking for headaches. Imagine, in your case, if you had different RACFs and Group access on the two systems. I worked at a place which did that, supposedly so that they could

Re: SMTP and OAuth

IBM has several application specific products that include OAuth 2.0 SMTP clients, but none for general use that I am aware of. Liberty has OAuth 2.0 capability but not an SMTP client. Since this VSE shop is clearly not running z/OS software, presumably their question is whether it is possible

Re: Unix file system ownership

"I can't believe it Jim, that girl is listening and you talk about back doors." "Mr. Potato head, Mr. Potato head, back doors are not secrets!" On 6/14/2023 3:19 PM, Pommier, Rex wrote: Frank, The whole 'back door' idea comes from the fact that you have shared DASD between prod and test,

Re: SMTP and OAuth

On 14/06/2023 11:57 pm, Tony Thigpen wrote: Asking for a VSE shop so he can answer an auditing 'request': Are there any SMTP clients on z/OS that support OAuth? I haven't used or tested it for OAuth, but Java usually provides an easy way to implement functions used on other platforms on

Re: Unix file system ownership

Frank, The whole 'back door' idea comes from the fact that you have shared DASD between prod and test, separate RACF databases between them. The UID really doesn't play much of a part here since it's your UID on both sides. The concern (rightfully so) is that test boxes and test RACF

Re: Unix file system ownership

Yes. I have no idea. I certainly wouldn't know how to do something "backdoor" with this. Yes. Me. From: IBM Mainframe Discussion List on behalf of Paul Gilmartin <042bfe9c879d-dmarc-requ...@listserv.ua.edu> Sent: Wednesday, June 14, 2023 3:17 PM To:

Re: Unix file system ownership

On Wed, 14 Jun 2023 20:12:45 +, Frank Swarbrick wrote: >Well this was easy. My security admin gave my production user the same UID >value as in test/dev and everything fell in to place. > Are the TSO IDs the same? Does this give your test/dev user a back door to your production system?

Re: Unix file system ownership

Well this was easy. My security admin gave my production user the same UID value as in test/dev and everything fell in to place. As for having the same file system mounted in two different LPARs, well, it seems to work fine. We are in a sysplex, I believe. In any case nothing "important" is

Re: Unix file system ownership

W dniu 14.06.2023 o 20:44, Paul Gilmartin pisze: On Wed, 14 Jun 2023 20:30:52 +0200, Radoslaw Skorupka wrote: ... Few remarks: 1. Think about chown -R user:group /your/dir  - that quickly change ownership of all your files and directories. Of course there is no place here for "my colleague

Re: Unix file system ownership

Usually one issue with making that software read-only is that it is the development system RACF database that defines it as read-only. Hence the production system has to trust the security of the development system. Many security professionals would baulk at this. Or maybe you were thinking of

Re: Unix file system ownership

Hi Frank, The short answer is 'yes, you can have the same UID across LPARs/RACF environments'. Longer answer is that it may not be as easy as you'd like depending on how your RACF environments are set up. There are several RACF FACILITY class profiles (like BPX.NEXT.USER and BPX.UNIQUE.USER)

Re: Unix file system ownership

On Wed, 14 Jun 2023 19:42:32 +0100, Lennie Dymoke-Bradshaw wrote: >... >I can understand completely why the environments of Development and >Production should have different RACF databases. What I fail to understand >is why they are then sharing the DASD. > Would sneakernet be better? There

Re: Unix file system ownership

On Wed, 14 Jun 2023 20:30:52 +0200, Radoslaw Skorupka wrote: >... >Few remarks: >1. Think about chown -R user:group /your/dir  - that quickly change >ownership of all your files and directories. Of course there is no place >here for "my colleague files". It is mass change. > See:

Re: Unix file system ownership

Frank, I can understand completely why the environments of Development and Production should have different RACF databases. What I fail to understand is why they are then sharing the DASD. Lennie -Original Message- From: IBM Mainframe Discussion List On Behalf Of Frank Swarbrick Sent:

Re: Unix file system ownership

W dniu 14.06.2023 o 20:17, Frank Swarbrick pisze: I'm guessing this is hopeless, but figured I'd ask anyway. For "some reason" we have separate RACF databases for each of our environments (dev/test vs production). Because of this (I think it's the reason!) my Unix UID is different in

Unix file system ownership

I'm guessing this is hopeless, but figured I'd ask anyway. For "some reason" we have separate RACF databases for each of our environments (dev/test vs production). Because of this (I think it's the reason!) my Unix UID is different in production than in dev/test. This means that even though

Coupling Facility Structure Resizing

Outside of the CFSizer tool is there anything available that would assist in resizing activities? Mark Jacobs Sent from [ProtonMail](https://protonmail.com), Swiss-based encrypted email. GPG Public Key - https://api.protonmail.ch/pks/lookup?op=get=markjac...@protonmail.com

Re: zOSMF

Not sure I agree with you Kurt, My z/OS installs are less than 2 years old, my res volume/s and Dlibs, even operational datasets don't move around. And even if I did, it is a very small number of them, which is why the RECATLG2 job with indirect or volsers, I could correct anything flagged

Re: The new requirement for Certificates to communicate with IBM -- A Journey

On Wed, 14 Jun 2023 09:17:04 -0500, Tom Longfellow wrote: > >My current detective work is trying to discover the IPV4 used today by IBM. >So I can take my Hat in hand and go explain all of this to the Firewall staff >so they can slice a microbe of time to search their logs and/or change

Re: RACF passphrase support

Don't forget session managers. From: IBM Mainframe Discussion List on behalf of Chicklon, Thomas <01fbdb5fcb44-dmarc-requ...@listserv.ua.edu> Sent: Wednesday, June 14, 2023 11:40 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF passphrase support

Re: RACF passphrase support

Good point, the original question was how to force users to use phrases instead of passwords, which is quite easy. Potentially much more difficult is making sure all applications that accept an ID and PW support a 100 character password field and know what to do with that data depending on

Re: Personal certificate Connect direct secure plus

The normal generalised TLS flow is 1. Client sends stuff to the server initiating the handshake. 2. Server sends stuff to the client, and can include the server's certificate. 3. Client can be configured to check the server's certificate. Eg check the signer's CA is in the

Re: RACF passphrase support

My logon screen only has space for an 8 char password. See Activating password phrase support on how to change it. On Wed, 14 Jun 2023 at 15:30, Chicklon, Thomas <

Re: RACF passphrase support

W dniu 14.06.2023 o 15:24, rpinion865 pisze: If I want to move away from passwords and use passphrases, how do I force users to use passphrases, i.e. RACF exit(s)? Quite simple. You have to set initial passphrase for every user you want to migrate. And give them the passphrases (I assume

Re: RACF passphrase support

I recommend posting to the RACF-L list. You'll get a lot of help there. Lennie Dymoke-Bradshaw https://rsclweb.com ‘Dance like no one is watching. Encrypt like everyone is.’ -Original Message- From: IBM Mainframe Discussion List On Behalf Of rpinion865 Sent: 14 June 2023 14:25 To:

Re: RACF passphrase support

Probably the easiest would be to remove a user’s password and set a phrase for them. ALU userid NOPASSWORD PHRASE(‘This user must use a phrase now’) EXPIRED Tom Chicklon From: IBM Mainframe Discussion List On Behalf Of rpinion865 Sent: Wednesday, June 14, 2023 9:25 AM To:

Re: unix commands in batch and su

≫ Sri, ITYM BPXPSATSL Alan, Not really. BPXBATSL is an alias of BPXBATCH. BPXBATSL provides users with an alternate entry point into BPXBATCH. It also forces a program to run by using a local spawn instead of fork/exec as BPXBATCH does. Check this link

Re: The new requirement for Certificates to communicate with IBM -- A Journey

Thank you. Thank You.THANK YOU. It is great to find out I am not alone in this. Maybe we can arrange an uprising. I will bring some Pitchforks and Torches when we storm the Castle. Here is where I stand today with this. There are IBM announcements out there about a server change and

SMTP and OAuth

Asking for a VSE shop so he can answer an auditing 'request': Are there any SMTP clients on z/OS that support OAuth? Tony Thigpen -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to

Re: Personal certificate Connect direct secure plus

If it is a personal certificate both parties will share there respective public and signer/authorisation/CA keys with each other for the transfer to work. The only certificate you don't share of course is your private key. Hope this helps. Andre -Original Message- From: IBM Mainframe

Re: unix commands in batch and su

As others have said, you need to feed the list-o-commands into the interpreting shell. Another tool that should be recommended is 'sudo'. But I'll defer commentary on that just now for sake of brevity. Don't fear "scripting". The input to 'sh' or to 'su' can be from a USS file, but it can

RACF passphrase support

If I want to move away from passwords and use passphrases, how do I force users to use passphrases, i.e. RACF exit(s)? Sent with [Proton Mail](https://proton.me/) secure email. -- For IBM-MAIN subscribe / signoff / archive

Re: The new requirement for Certificates to communicate with IBM -- A Journey

We've been having this same issue since early June, and we went through and made sure all of the new certs are in place. And our download jobs work occasionally, and then fail with either write or read failed at other times. Has anyone gotten this working and what was the resolution? It's

Re: Mainframe help now available!

I agree. There's too much malicious pleasure in maligning or even just imagining bad bosses. By comparison to the stories I hear, it seems to me I've had more than my share of good ones. Teachers too, by the way, back in high school and college. --- Bob Bridges, robhbrid...@gmail.com, cell 336

z/PDOS university challenge

I now have a pure public domain 3390 disk containing z/PDOS and assorted utilities. There isn't a lot of public domain (as opposed to copyrighted freeware like most z/Linux stuff) stuff available for the mainframe, so currently there are only crude editing capabilities available. But you can IPL

Re: unix commands in batch and su

Classification: Confidential Sri, ITYM BPXPSATSL -Original Message- From: IBM Mainframe Discussion List On Behalf Of Sri h Kolusu Sent: Tuesday, June 13, 2023 2:26 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: unix commands in batch and su [CAUTION: This Email is from outside the

Re: Char to Hex

The table for TROT isn't that bad, although I prefer the UNPK/TR technique as it hits the cache less. The table for TRTO is truly massive in terms of cache hits. In both cases I would generate the table in a macro rather than by hand. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3

Re: unix commands in batch and su

W dniu 13.06.2023 o 23:42, Kirk Wolf pisze: FYI, with Co:Z Batch instead of BPXBATCH, you just provide STDIN input to the shell like you would from a terminal. //SU EXEC PGM=COZBATCH //STDIN DD * su -s omvskern # commands for the su shell ... whoami exit # quit the su shell whoami # back

Re: Char to Hex

In assembler there are 2 instructions for handling Char to Hex and Hex to Char. TRTO - Translate Two to One TROT - Translate One to Two It is the TROT instruction I usually use for producing printable HEX, but I think you need the TRTO instruction. Once you have set up the tables it is the

Re: Certificate differences between Z/VM and Z/OS?

Thanks Allan and Colin, I can list the certificate in gskkyman with no problem (when gskkyman works...). I'll try to IPL this guest as a standalone (it doesn't run network well as a second level vm) and report results. Best, ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|**

Re: Char to Hex

I blogged this recently Easy question – hard answer, how to I convert a hex string to hex byte string in C . The C sscanf