× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2023

Re: IFS Directory Authority

That attribute is not what you want.
If you change the directory to not allow them to delete it, the objects in
that directory adopt that authority and they cannot delete the files either.

Since you're using exit point security ask your vendor if you can control
commands. I've written my own exit point programs to control commands so
if they got any sand they can do that. Then just control the command
RMVDIR and do not allow the user to use that command if the DIR parameter
is equal to the name of that directory.
A sample of what I've done with exit points is to take the command SNDDST
and if the parameters indicated they were sending an email then to log it
and to change the command to a completely different command we use to send
emails. This allowed us to phase in a change in email and the logging
allowed us to fix programs at our leisure.

On Mon, Mar 20, 2023 at 4:58 PM Greg Wilburn <
gwilburn@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

These are work files that contain web service responses. They are used by
batch applications that run from scheduled jobs, or a single-threaded jobq.
I don't have to worry about locking and such... but we DO change users as
responsibilities change. I don't want to worry about authority on XML
files that have zero use once the job is finished. I like to leave them
intact in case I need to look at something.

All I'm trying to do is prevent a user from accidentally moving or
deleting a directory on the IFS (which is what happened here)
Our exit point security software is in logging mode for IFS - so I was
able to identify exactly who and when this directory (and subdirectories)
were deleted.
The user was browsing the directory and recalled dropping her headset on
the keyboard. It must have hit the delete key AND THEN the enter key.
She recalls the moment it happened, but didn't think any action took
place.

I have more than one directory that is used in this same fashion... I'd
like to protect it from accidental deletion without hindering usage.

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Rob
Berendt
Sent: Monday, March 20, 2023 4:16 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: IFS Directory Authority

If you're going to overwrite you need to rethink that attribute.
You either stop overwriting by generating unique file names, or figure out
a way to safely overwrite. If both users create a file called output.txt
then you're going to have to guarantee that job only runs once per day and
clear that up. Or figure out an appropriate locking and waiting scheme.
Common techniques for uniqueness include incorporating the fully qualified
job name, UUID, GUID, timestamp (with extended microseconds), etc.

On Mon, Mar 20, 2023 at 2:56 PM Greg Wilburn <
gwilburn@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

This is interesting... So *RSTDRNMUNL only applies to directories.

My issue is that an IFS filename may be "reused" or "overwritten" by more
than one user. So today, the owner might be JOHNNY but tomorrow the
owner
might be JANE.
Within the same job, I will often run "cleanup" program for a
subdirectory
that deletes all files older than 60 days.

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
Rob
Berendt
Sent: Monday, March 20, 2023 12:46 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx

Subject: Re: IFS Directory Authority

You mean something like this?
CHGATR OBJ('/mydir') ATR(*RSTDRNMUNL) VALUE(*YES)
IBM used to change '/tmp' at each IPL to this until we stormed the gates.
The reason that stank was the user app would write a file to it for use
by
IBM's email APIs. Then it would pass control over to the other programs
like QMSF and the smtp jobs and they could not delete the file since they
were not the owner and didn't have *ALLOBJ.
Just make sure you won't run into similar issues.

On Fri, Mar 17, 2023 at 3:23 PM Greg Wilburn <
gwilburn@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

I would like to set the authority on a directory so that no one can
move,
delete, or rename the directory itself (except owner and QSECOFR).
However, all users need to be able to run programs that read, write
(create), and delete objects INSIDE the directory.

My programs use this directory for storing temporary files (XML, JSON,
TXT, etc.) while consuming web services, downloading files, etc.
One of those directories "went missing" earlier this week - someone
accidentally deleted it or otherwise moved it.

I looked through the archives, but didn't really find much...

TIA,
Greg
[Logo]<https://www.totalbizfulfillment.com/> Greg Wilburn
Director of IT
301.895.3792 ext. 1231
301.895.3895 direct
gwilburn@xxxxxxxxxxxxxxxxxxxxxxx<mailto:
gwilburn@xxxxxxxxxxxxxxxxxxxxxxx

1 Corporate Dr
Grantsville, MD 21536
www.totalbizfulfillment.com<http://www.totalbizfulfillment.com>
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related
questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.