× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Jerry,

I am not 100% sure this applies to printer devices, but I know it applies to telnet devices.

At session initiation, a telnet device description may be deleted and recreated by the telnet system. The reason for this is so that the telnet device description type will match the device description type requested by the client. For example, If I connect to SYSTEMA and request an emulation device type of VT100, the system creates a device called QPADEV0001 that emulates a VT100 device type.

After I disconnect, you may connect using telnet and be assigned device name QPADEV0001 also. However, your emulation client requests a 3477 device type. Telnet then deletes the QPADEV0001 device type (that I created) and makes a new QPADEV0001 with the proper device type for you. Because you may not have the authority to delete the device, this function is performed under the authority of user QTCP.

Now here is a really odd thing, even though you logged in and caused this device to be created, if you didn't have the proper authority (defined as *CHANGE or higher) to the previous device description (the VT100 flavor that my emulation created), you will not be authorized to use the device description that you (well, really, that user QTCP) just created. A user must have *CHANGE authority to a device in order to use it, but can delete and recreate a device they do not have authority to (go figure).

Finally, If you are finding that a printer is being renamed to a telnet device type, it is possible that one of your users has specified the printer's name as their telnet device name and is creating this problem for you. The easiest way I can think of smoking that out is to list all the jobs of the printer's name from either QAUDJRN or QHST and see which user's name is associated with the printer's job name.

Hope this helps,

jte



On Mar 4, 2010, at 8:42 PM, Jim Franz wrote:

as odd as it may sound, i believe it's working as designed...
several years ago while working thru a virtual device problem an ibm
developer told me a device can be re-created for several reasons (which
escape me now), and not go thru the normal delete device, create the device,
or even a chg devd. I would take this to ibm and get a current response to
the issue.
Jim Franz

----- Original Message -----
From: "Bdietz400" <bdietz400@xxxxxxxxx>
To: "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Sent: Thursday, March 04, 2010 9:08 PM
Subject: Re: Workstation Object Getting Changed


Maybe you could look at the telnet exit programs. Gould could
intercept the incoming device name/device type and deal with it.

Bryan

--
Bryan

Sent from my iPod Touch.



On Mar 4, 2010, at 4:32 PM, Jerry Adams <Jerry@xxxxxxxxxxxxxxx> wrote:

Situation: Occasionally I encounter a problem in which a device
description is changed from a printer to a display (rarely, if ever,
vice versa). New devices cannot be created automagically (QAUTOVRT
= 0), but, if the device description already existed, the system
pretty much ignored my wishes and changed the device from a printer
to a display. There was no real security on the device descriptions
(*Public = *Change) so I created an authorization list where just
about everyone has *Use authority, except *Public and QTCP which are
both *Exclude (maybe redundant but via both specific object
authority and via the authorization list).

I am the object's owner so I used profile (MIKE) that has limited
authority (and at a PC logged in by him), I ran Client Access ->
Emulator -> Start or Configure Session, and created a "new" display
session with the same id as a currently defined printer session.
The device description is now a display, not a printer.

The security audit journal (QAUDJRN) shows (DO entries) that the
printer device description was deleted by QTCP (previously showed
that the outqueue for the printer had been deleted).The journal
never shows the device being created, but it does show the object
authority being changed for the device with an attribute of DSPVRT.
There are no 'AF' entries in the QAUDJRN. I know that the minimal-
user cannot delete the device description when secured by the
authorization list. QTCP has *JOBCTL special authority, but that's
it.

This (changing the device description's type) may be working "as
designed," but it could be that I am just not defining the
authorities correctly. I went through the Resource Security chapter
[5] of the Security Reference manual for V5R4; following the
flowcharts it looks like the attempt to re-define the device
description should fail - but obviously does not.

For completeness, the object authority is:

Display Object Authority

Object . . . . . . . : PN Owner . . . . . . . :
JERRY
Library . . . . . : QSYS Primary group . . . : *NONE
Object type . . . . : *DEVD ASP device . . . . . :
*SYSBAS

Object secured by authorization list . . . . . . . . . . . . :
PRINTERS

Object -----Object------ ------
Data-------
User Group Authority O M E A R R A
U D E
*PUBLIC *EXCLUDE
JERRY *ALL X X X X X X X
X X X
QTCP *EXCLUDE

The relevant parts of the authorizations list are:

Display Authorization List

Object . . . . . . . : PRINTERS Owner . . . . . . . :
JERRY
Library . . . . . : QSYS Primary group . . . : *NONE

Object List -----Object------ ------Data-------
User Authority Mgt O M E A R R A U D E
*PUBLIC *EXCLUDE
JERRY *ALL X X X X X X X X X X X
MIKE *USE X X X
QTCP *EXCLUDE

I am no wiz at security, but I really thought I could nail this one
down (prevent device types from changing). Not. After several days
of experimentation and manual reading, I am throwing myself on your
(tender?) mercies. Any clues, suggestions, rebukes, etc., would be
appreciated.

Thanks.

Jerry C. Adams
IBM System i Programmer/Analyst
--
B&W Wholesale
office: 615-995-7024
email: jerry@xxxxxxxxxxxxxxx

--

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


--
John Earl
President and CEO
Patrick Townsend Security Solutions
"The Encryption Company"

Olympia, WA | www.patownsend.com
Office: 360-357-8971 Ext 118


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.