Re: Replacing the IRXTERM routine

2020-11-07 Thread Binyamin Dissen
I am referring to under TSO, where I have a function call establish the host
environment. I do not call IRXINIT directly (or at all).


On Sun, 8 Nov 2020 11:36:59 +1100 Attila Fogarasi  wrote:

:>Under TSO/E you must call IRXINIT with a module name table that specifies
:>your replacement module for IRXTERM.  Your replacement module can choose to
:>call IRXTERM (acting as a front-end filter), or not call IRXTERM at all.
:>For non-TSO/E environments there are some other ways.  There is a rather
:>long list of the replaceable modules that are allowed by Rexx, luckily it
:>includes IRXTERM.

:>On Sun, Nov 8, 2020 at 9:07 AM Binyamin Dissen 
:>wrote:

:>> I wrote a host environment and would like to receive control when the EXEC
:>> ends to clean up.

:>> I tried replacing the address IRXTERM in IRXEXTE but it does not receive
:>> control.

:>> This is under TSO.

--
Binyamin Dissen 
http://www.dissensoftware.com

Director, Dissen Software, Bar & Grill - Israel


Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Can a non-admin restrict others from viewing one of their own MVS data sets?

2020-11-07 Thread Mike Schwab
There should be a group that lists IDs of who work together on same /
similar projects and allows access to production and test datasets.
May (or may not) want to list ID.** to view others tso files.

On Fri, Nov 6, 2020 at 6:25 PM Frank Swarbrick
 wrote:
>
> Thanks!  I was successfully able to use the Security System (RACF) panels to 
> add a dataset profile for a dataset with my HLQ, with UACC(NONE).  I had 
> another developer who would normally have access try to view it and he was 
> blocked.  Didn't really expect for this to work, but glad it did.
>
> 
> From: IBM Mainframe Discussion List  on behalf of 
> Lizette Koehler 
> Sent: Friday, November 6, 2020 2:58 PM
> To: IBM-MAIN@LISTSERV.UA.EDU 
> Subject: Re: Can a non-admin restrict others from viewing one of their own 
> MVS data sets?
>
> If you own the dataset and RACF Admins permit it,
>
> You should be able to alter your Datasets in MVS using the RACF Commands or
> Panels.
>
> Will not work if you are not the owner of the file.
>
> For Example I own all datasets that begin with my TSO ID.  I do not own SYS1
> datasets.
>
> SO it just depends
>
> Lizette
>
>
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf Of
> Frank Swarbrick
> Sent: Friday, November 6, 2020 2:43 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Can a non-admin restrict others from viewing one of their own MVS
> data sets?
>
> In the Unix world one can use chmod (change mode) on their own files to make
> it so non-superusers cannot view a particular file.  Is there anything
> similar for MVS data sets?
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



-- 
Mike A Schwab, Springfield IL USA
Where do Forest Rangers go to get away from it all?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Can a non-admin restrict others from viewing one of their own MVS data sets?

2020-11-07 Thread Mark Jacobs
I hope not.

Mark Jacobs

Sent from ProtonMail, Swiss-based encrypted email.

GPG Public Key - 
https://api.protonmail.ch/pks/lookup?op=get=markjac...@protonmail.com

‐‐‐ Original Message ‐‐‐

On Saturday, November 7th, 2020 at 10:53 PM, Seymour J Metz  
wrote:

> Password? (Checks calendar - 2020). Is anybody still using dataset passwords?
>
>
> ---
>
> Shmuel (Seymour J.) Metz
>
> http://mason.gmu.edu/~smetz3
>
> From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
> Paul Gilmartin [000433f07816-dmarc-requ...@listserv.ua.edu]
>
> Sent: Friday, November 6, 2020 5:31 PM
>
> To: IBM-MAIN@LISTSERV.UA.EDU
>
> Subject: Re: Can a non-admin restrict others from viewing one of their own 
> MVS data sets?
>
> On Fri, 6 Nov 2020 14:58:13 -0700, Lizette Koehler wrote:
>
> > If you own the dataset and RACF Admins permit it,
>
> What does "own" mean to MVS? I believe from the beginning it
>
> meant, "The sysop consents to enter your data set password
>
> when prompted."
>
> > You should be able to alter your Datasets in MVS using the RACF Commands or 
> > Panels.
> >
> > Will not work if you are not the owner of the file.
> >
> > For Example I own all datasets that begin with my TSO ID. I do not own SYS1 
> > datasets.
> >
> > SO it just depends
>
> > -Original Message-
> >
> > From: Frank Swarbrick
> >
> > Sent: Friday, November 6, 2020 2:43 PM
> >
> > In the Unix world one can use chmod (change mode) on their own files to make
> >
> > it so non-superusers cannot view a particular file. Is there anything
> >
> > similar for MVS data sets?
>
> -- gil
>
> -
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
>
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> 
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
>
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Can a non-admin restrict others from viewing one of their own MVS data sets?

2020-11-07 Thread Seymour J Metz
Password?  (Checks calendar - 2020). Is anybody still using dataset passwords?


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
Paul Gilmartin [000433f07816-dmarc-requ...@listserv.ua.edu]
Sent: Friday, November 6, 2020 5:31 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Can a non-admin restrict others from viewing one of their own MVS 
data sets?

On Fri, 6 Nov 2020 14:58:13 -0700, Lizette Koehler wrote:

>If you own the dataset and RACF Admins permit it,
>
What does "own" mean to MVS?  I believe from the beginning it
meant,  "The sysop consents to enter your data set password
when prompted."

>You should be able to alter your Datasets in MVS using the RACF Commands or 
>Panels.
>
>Will not work if you are not the owner of the file.
>
>For Example I own all datasets that begin with my TSO ID.  I do not own SYS1 
>datasets.
>
>SO it just depends


>-Original Message-
>From: Frank Swarbrick
>Sent: Friday, November 6, 2020 2:43 PM
>
>In the Unix world one can use chmod (change mode) on their own files to make
>it so non-superusers cannot view a particular file.  Is there anything
>similar for MVS data sets?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Can a non-admin restrict others from viewing one of their own MVS data sets?

2020-11-07 Thread Bob Bridges
Aha!  I just reread the question.  Sorry, ignore the below; I didn't read
carefully the first time.

---
Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313

/* Beware of any Christian leader who does not walk with a limp.  -Bob
Mumford */

-Original Message-
From: Bob Bridges  
Sent: Saturday, November 7, 2020 21:12

Disclaimer:  I used to know RACF a lot better than I do now.  The following
may be wrong.

As I recall the RACF documentation, it DOES NOT CONSULT the access rules for
a dataset if my ID is the same as the HLQ.  This should mean, despite what
others say here about UACC and the ACL, that ordinary access rules will have
no effect on your ability to access your own datasets (where "own" means
your ID is the same as the dataset's HLQ).  I expect an exit could modify
this.  Someone else mentioned global variables; I don't know about that.

Now everyone feel free to jump on me.  But that's what I recall reading,
long ago (but not THAT long ago).

You didn't specify RACF in your question.  In Top Secret it's definitely
possible to withhold permission to execute your own datasets...or rather,
it's possible to give ownership of those datasets to someone else, even
though your ID matches the HLQ.  Ownership is not defined by default.

ACF2...it's been too long.  ACF2 used to be my first security system, but I
haven't used it in about ten years now.

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Frank Swarbrick
Sent: Friday, November 6, 2020 16:43

In the Unix world one can use chmod (change mode) on their own files to make
it so non-superusers cannot view a particular file.  Is there anything
similar for MVS data sets?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Can a non-admin restrict others from viewing one of their own MVS data sets?

2020-11-07 Thread Bob Bridges
Disclaimer:  I used to know RACF a lot better than I do now.  The following
may be wrong.

As I recall the RACF documentation, it DOES NOT CONSULT the access rules for
a dataset if my ID is the same as the HLQ.  This should mean, despite what
others say here about UACC and the ACL, that ordinary access rules will have
no effect on your ability to access your own datasets (where "own" means
your ID is the same as the dataset's HLQ).  I expect an exit could modify
this.  Someone else mentioned global variables; I don't know about that.

Now everyone feel free to jump on me.  But that's what I recall reading,
long ago (but not THAT long ago).

You didn't specify RACF in your question.  In Top Secret it's definitely
possible to withhold permission to execute your own datasets...or rather,
it's possible to give ownership of those datasets to someone else, even
though your ID matches the HLQ.  Ownership is not defined by default.

ACF2...it's been too long.  ACF2 used to be my first security system, but I
haven't used it in about ten years now.

---
Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313

/* Ye knowe ek that in forme of speche is chaunge
Withinne a thousand yere, and wordes tho
That hadden pris, now wonder nyce and straunge
Us thinketh hem, and yit they spake hem so.
  -Geoffrey Chaucer, Troilus and Criseyde, Book 2, 22-25 */

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Frank Swarbrick
Sent: Friday, November 6, 2020 16:43

In the Unix world one can use chmod (change mode) on their own files to make
it so non-superusers cannot view a particular file.  Is there anything
similar for MVS data sets?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Can a non-admin restrict others from viewing one of their own MVS data sets?

2020-11-07 Thread Frank Swarbrick
Haha, I've gotten enough security violations myself to know that this won't be 
a problem.


From: IBM Mainframe Discussion List  on behalf of 
Arthur 
Sent: Friday, November 6, 2020 6:32 PM
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: Re: Can a non-admin restrict others from viewing one of their own MVS 
data sets?

Frank Swarbrick said:
>I was successfully able to use the Security System (RACF)
>panels to add a dataset profile for a dataset with my HLQ,
>with UACC(NONE).  I had another developer who would
>normally have access try to view it and he was blocked.

You might want to tell your security people that this was a
test, and do it *before* they notice that failed access.
Even the truth is suspicious when stated after the
investigations start; and you don't want to get that other
developer in trouble.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: Replacing the IRXTERM routine

2020-11-07 Thread Attila Fogarasi
Under TSO/E you must call IRXINIT with a module name table that specifies
your replacement module for IRXTERM.  Your replacement module can choose to
call IRXTERM (acting as a front-end filter), or not call IRXTERM at all.
For non-TSO/E environments there are some other ways.  There is a rather
long list of the replaceable modules that are allowed by Rexx, luckily it
includes IRXTERM.

On Sun, Nov 8, 2020 at 9:07 AM Binyamin Dissen 
wrote:

> I wrote a host environment and would like to receive control when the EXEC
> ends to clean up.
>
> I tried replacing the address IRXTERM in IRXEXTE but it does not receive
> control.
>
> This is under TSO.
>
> --
> Binyamin Dissen 
> http://www.dissensoftware.com
>
> Director, Dissen Software, Bar & Grill - Israel
>
>
> Should you use the mailblocks package and expect a response from me,
> you should preauthorize the dissensoftware.com domain.
>
> I very rarely bother responding to challenge/response systems,
> especially those from irresponsible companies.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Replacing the IRXTERM routine

2020-11-07 Thread Binyamin Dissen
I wrote a host environment and would like to receive control when the EXEC
ends to clean up.

I tried replacing the address IRXTERM in IRXEXTE but it does not receive
control.

This is under TSO.

--
Binyamin Dissen 
http://www.dissensoftware.com

Director, Dissen Software, Bar & Grill - Israel


Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN