Re: Replacing the IRXTERM routine
I am referring to under TSO, where I have a function call establish the host environment. I do not call IRXINIT directly (or at all). On Sun, 8 Nov 2020 11:36:59 +1100 Attila Fogarasi wrote: :>Under TSO/E you must call IRXINIT with a module name table that specifies :>your replacement module for IRXTERM. Your replacement module can choose to :>call IRXTERM (acting as a front-end filter), or not call IRXTERM at all. :>For non-TSO/E environments there are some other ways. There is a rather :>long list of the replaceable modules that are allowed by Rexx, luckily it :>includes IRXTERM. :>On Sun, Nov 8, 2020 at 9:07 AM Binyamin Dissen :>wrote: :>> I wrote a host environment and would like to receive control when the EXEC :>> ends to clean up. :>> I tried replacing the address IRXTERM in IRXEXTE but it does not receive :>> control. :>> This is under TSO. -- Binyamin Dissen http://www.dissensoftware.com Director, Dissen Software, Bar & Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Can a non-admin restrict others from viewing one of their own MVS data sets?
There should be a group that lists IDs of who work together on same / similar projects and allows access to production and test datasets. May (or may not) want to list ID.** to view others tso files. On Fri, Nov 6, 2020 at 6:25 PM Frank Swarbrick wrote: > > Thanks! I was successfully able to use the Security System (RACF) panels to > add a dataset profile for a dataset with my HLQ, with UACC(NONE). I had > another developer who would normally have access try to view it and he was > blocked. Didn't really expect for this to work, but glad it did. > > > From: IBM Mainframe Discussion List on behalf of > Lizette Koehler > Sent: Friday, November 6, 2020 2:58 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Can a non-admin restrict others from viewing one of their own > MVS data sets? > > If you own the dataset and RACF Admins permit it, > > You should be able to alter your Datasets in MVS using the RACF Commands or > Panels. > > Will not work if you are not the owner of the file. > > For Example I own all datasets that begin with my TSO ID. I do not own SYS1 > datasets. > > SO it just depends > > Lizette > > > -Original Message- > From: IBM Mainframe Discussion List On Behalf Of > Frank Swarbrick > Sent: Friday, November 6, 2020 2:43 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Can a non-admin restrict others from viewing one of their own MVS > data sets? > > In the Unix world one can use chmod (change mode) on their own files to make > it so non-superusers cannot view a particular file. Is there anything > similar for MVS data sets? > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Can a non-admin restrict others from viewing one of their own MVS data sets?
I hope not. Mark Jacobs Sent from ProtonMail, Swiss-based encrypted email. GPG Public Key - https://api.protonmail.ch/pks/lookup?op=get=markjac...@protonmail.com ‐‐‐ Original Message ‐‐‐ On Saturday, November 7th, 2020 at 10:53 PM, Seymour J Metz wrote: > Password? (Checks calendar - 2020). Is anybody still using dataset passwords? > > > --- > > Shmuel (Seymour J.) Metz > > http://mason.gmu.edu/~smetz3 > > From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of > Paul Gilmartin [000433f07816-dmarc-requ...@listserv.ua.edu] > > Sent: Friday, November 6, 2020 5:31 PM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Re: Can a non-admin restrict others from viewing one of their own > MVS data sets? > > On Fri, 6 Nov 2020 14:58:13 -0700, Lizette Koehler wrote: > > > If you own the dataset and RACF Admins permit it, > > What does "own" mean to MVS? I believe from the beginning it > > meant, "The sysop consents to enter your data set password > > when prompted." > > > You should be able to alter your Datasets in MVS using the RACF Commands or > > Panels. > > > > Will not work if you are not the owner of the file. > > > > For Example I own all datasets that begin with my TSO ID. I do not own SYS1 > > datasets. > > > > SO it just depends > > > -Original Message- > > > > From: Frank Swarbrick > > > > Sent: Friday, November 6, 2020 2:43 PM > > > > In the Unix world one can use chmod (change mode) on their own files to make > > > > it so non-superusers cannot view a particular file. Is there anything > > > > similar for MVS data sets? > > -- gil > > - > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Can a non-admin restrict others from viewing one of their own MVS data sets?
Password? (Checks calendar - 2020). Is anybody still using dataset passwords? -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Paul Gilmartin [000433f07816-dmarc-requ...@listserv.ua.edu] Sent: Friday, November 6, 2020 5:31 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Can a non-admin restrict others from viewing one of their own MVS data sets? On Fri, 6 Nov 2020 14:58:13 -0700, Lizette Koehler wrote: >If you own the dataset and RACF Admins permit it, > What does "own" mean to MVS? I believe from the beginning it meant, "The sysop consents to enter your data set password when prompted." >You should be able to alter your Datasets in MVS using the RACF Commands or >Panels. > >Will not work if you are not the owner of the file. > >For Example I own all datasets that begin with my TSO ID. I do not own SYS1 >datasets. > >SO it just depends >-Original Message- >From: Frank Swarbrick >Sent: Friday, November 6, 2020 2:43 PM > >In the Unix world one can use chmod (change mode) on their own files to make >it so non-superusers cannot view a particular file. Is there anything >similar for MVS data sets? -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Can a non-admin restrict others from viewing one of their own MVS data sets?
Aha! I just reread the question. Sorry, ignore the below; I didn't read carefully the first time. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Beware of any Christian leader who does not walk with a limp. -Bob Mumford */ -Original Message- From: Bob Bridges Sent: Saturday, November 7, 2020 21:12 Disclaimer: I used to know RACF a lot better than I do now. The following may be wrong. As I recall the RACF documentation, it DOES NOT CONSULT the access rules for a dataset if my ID is the same as the HLQ. This should mean, despite what others say here about UACC and the ACL, that ordinary access rules will have no effect on your ability to access your own datasets (where "own" means your ID is the same as the dataset's HLQ). I expect an exit could modify this. Someone else mentioned global variables; I don't know about that. Now everyone feel free to jump on me. But that's what I recall reading, long ago (but not THAT long ago). You didn't specify RACF in your question. In Top Secret it's definitely possible to withhold permission to execute your own datasets...or rather, it's possible to give ownership of those datasets to someone else, even though your ID matches the HLQ. Ownership is not defined by default. ACF2...it's been too long. ACF2 used to be my first security system, but I haven't used it in about ten years now. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Frank Swarbrick Sent: Friday, November 6, 2020 16:43 In the Unix world one can use chmod (change mode) on their own files to make it so non-superusers cannot view a particular file. Is there anything similar for MVS data sets? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Can a non-admin restrict others from viewing one of their own MVS data sets?
Disclaimer: I used to know RACF a lot better than I do now. The following may be wrong. As I recall the RACF documentation, it DOES NOT CONSULT the access rules for a dataset if my ID is the same as the HLQ. This should mean, despite what others say here about UACC and the ACL, that ordinary access rules will have no effect on your ability to access your own datasets (where "own" means your ID is the same as the dataset's HLQ). I expect an exit could modify this. Someone else mentioned global variables; I don't know about that. Now everyone feel free to jump on me. But that's what I recall reading, long ago (but not THAT long ago). You didn't specify RACF in your question. In Top Secret it's definitely possible to withhold permission to execute your own datasets...or rather, it's possible to give ownership of those datasets to someone else, even though your ID matches the HLQ. Ownership is not defined by default. ACF2...it's been too long. ACF2 used to be my first security system, but I haven't used it in about ten years now. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Ye knowe ek that in forme of speche is chaunge Withinne a thousand yere, and wordes tho That hadden pris, now wonder nyce and straunge Us thinketh hem, and yit they spake hem so. -Geoffrey Chaucer, Troilus and Criseyde, Book 2, 22-25 */ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Frank Swarbrick Sent: Friday, November 6, 2020 16:43 In the Unix world one can use chmod (change mode) on their own files to make it so non-superusers cannot view a particular file. Is there anything similar for MVS data sets? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Can a non-admin restrict others from viewing one of their own MVS data sets?
Haha, I've gotten enough security violations myself to know that this won't be a problem. From: IBM Mainframe Discussion List on behalf of Arthur Sent: Friday, November 6, 2020 6:32 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Can a non-admin restrict others from viewing one of their own MVS data sets? Frank Swarbrick said: >I was successfully able to use the Security System (RACF) >panels to add a dataset profile for a dataset with my HLQ, >with UACC(NONE). I had another developer who would >normally have access try to view it and he was blocked. You might want to tell your security people that this was a test, and do it *before* they notice that failed access. Even the truth is suspicious when stated after the investigations start; and you don't want to get that other developer in trouble. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Replacing the IRXTERM routine
Under TSO/E you must call IRXINIT with a module name table that specifies your replacement module for IRXTERM. Your replacement module can choose to call IRXTERM (acting as a front-end filter), or not call IRXTERM at all. For non-TSO/E environments there are some other ways. There is a rather long list of the replaceable modules that are allowed by Rexx, luckily it includes IRXTERM. On Sun, Nov 8, 2020 at 9:07 AM Binyamin Dissen wrote: > I wrote a host environment and would like to receive control when the EXEC > ends to clean up. > > I tried replacing the address IRXTERM in IRXEXTE but it does not receive > control. > > This is under TSO. > > -- > Binyamin Dissen > http://www.dissensoftware.com > > Director, Dissen Software, Bar & Grill - Israel > > > Should you use the mailblocks package and expect a response from me, > you should preauthorize the dissensoftware.com domain. > > I very rarely bother responding to challenge/response systems, > especially those from irresponsible companies. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Replacing the IRXTERM routine
I wrote a host environment and would like to receive control when the EXEC ends to clean up. I tried replacing the address IRXTERM in IRXEXTE but it does not receive control. This is under TSO. -- Binyamin Dissen http://www.dissensoftware.com Director, Dissen Software, Bar & Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN