× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. May 2008

Re: Verify Submitted Job Completion

Paul.Thieme@xxxxxxxxxxxxxxxxx wrote:
The user doesn't have authority to the file's directory. The interactive
job submits a job using profile with higher authority.

In order to do that, the user must have *USE authority to the higher-security profile (the one that the job is submitted under). That means that any user with appropriate knowledge can bypass your security setup! (Unless it gains the *USE authority via adopted authority or something like that, I guess.)

While I could certainly tell you how to wait for a batch job to complete (which isn't particularly difficult) I'm thinking that the best solution for you is NOT to do things this way.

Instead, create a never-ending batch job that sits and waits on a data queue. When your interactive job wants to display a file, it can put the appropriate information onto the data queue, and the batch job (which can be running with higher authority) will use that info to copy the file, it can then send back a response stating that it has been copied.

This solution is ideal because the interactive job doesn't have to prove authority needed to run a different user profile. So no *USE authority is needed. PLus, the data queue makes it easy to wait for stuff to complete.

Perhaps an even better idea (from a security perspective, anyway) is to have a CGI program that receives the request to display an image from a browser. Have some sort of authentication in place, of course... but the CGI program can have authority to read the image file, and can send it to the browser without you ever needing to copy it to a temporary location, and that also improves your security dramatically...

A less appealing solution (to me) is to use profile swapping, and eliminate the batch job altogether. Since you currently have to have *USE authority anyway, you could just switch to the higher-level user profile interactively, do the copy, and switch back. But that still requires *USE authority, and therefore a knowledgeable user can circumvent your security scheme. You could use setgid() instead of the profile handle/token APIs, that would be a little better...

Of course, if you're really happy with the approach of submitting a job, you could wait for the job to complete. Just give the SBMJOB command the name of a message queue, and tell your program to wait on that message queue for the job completed message. Very easy to tell when the job has completed that way.

But, if it were me, I'd be looking at either the data queue or CGI approach.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.