Subject: | |
From: | |
Reply To: | |
Date: | Wed, 1 Apr 1998 15:49:20 -0800 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
<<we've been down this path...but i thought i'd ask again :-)
we don't have a native rexec daemon for mpe, right?
assuming the answer is 'yes', i'll say i've already installed
jim wowchuk's mpe daemon software. it works wonderfully!
(thanks, jim) but it also opens pandora's box. if i've got a
clever unix-type, that person can enter any command
and mped will execute it -- not a good thing.
i'm trying to write a 'command wrapper' (to invent
a phrase :-) that will intercept *every* command
issued to mped to decide if the command is allowable.
obviously, saying what is allowed is a much shorter
list than the not-allowed one. udc's won't work
because a udc has to have a name. that is, if i
write udc's to look for say...listf, showjob and
showtime...they work but as soon as mped gets
a command for say purge - i'm not trapping for
it and something just got purged -- again not good.
a logon udc doesn't work because mped runs
in a job. so once the job logs on - the udc's
been excuted and you're done.
i need 'something' that sits on top of the ci
for the mped user. or a really rexecd :-) - d>>
Speaking from a position of profound ignorance, I'm guessing from the
items mentioned that
1) "MPED" provides remote execution of MPE commands
2) "MPED" logs on as MANAGER.SYS or some similar high-privilege
level user
3) "MPED" does not interact with the remote user to identify &
authenticate that user
4) Possibly as a result of #3, "MPED" does not use AIFCHANGELOGON
to "become" some less-privileged user
AIFCHANGELOGON is not perfect, but most of its "warts" are in the
direction of reducing the capabilities of the user compared to the
pre-change setup.
If any of the above is valid, then one option might be to run "MPED" as
some less-privileged user; another would be to ask Jim to implement an
optional AIFCHANGELOGON capability to change to some other logon and
environment, possibly based on input from the remote user and validated
using info from AIFACCTGET.
Steve
Steve Dirickson WestWin Consulting
(360) 598-6111 [log in to unmask]
|
|
|