NETMGR@FINFUN.BITNET (03/06/87)
We have some security problems when sending JCL jobs via SNA Gateway (our nodename for it is SNAGW). When sending JCL job through SNA Gateway, the file has to be either readable to world or you must include full access control in the filename. To make shure the file was properly sent, you have to have the logfile. If you use full access control, then the logfile looks it like: >$SNAR="$SNAREADER" >$SNAR >%SNARJE-I-JOBSTART, job started at 16-FEB-1987 11:22:37.26 >QUUU SNARJE$READER >%SNARJE-I-JOBINFO, workstation SNARJE, queue SNARJE$READER, stream RD1 >STLU000 OPMVAX"NETMGR password_visible"::HSC0$DUA0:[NETMGR.SNAGW]TOIBM.JCL;6 ================ >%SNARJE-I-GWYSTREND, stream RD1 ended, file OPMVAX"NETMGR password"::HSC0$DUA0: [NETMGR.SNAGW]TOIBM.JCL;6, 63 records transferred >EUUU >%SNARJE-I-JOBENDED, job ended at 16-FEB-1987 11:22:42.36 >$!End of work file If you set the file to be readable to the world, then everyone can read you JCL usercode/password. SUBMIT/SNA checks for file access before it submits the job for sending, so it should be possible to give the FAL process, that reads the file for SNA Gateway, temporary READALL privilege. We've tride several ways Proxy login for SNAGW::NFACP doesn't work, because the file access is done with null access control from SNA gateway (is this a feature or a bug?). We tried a installed program to set READALL when the FAL request comes from SNAGW::NFACP. Doesn't work, because we found no shure method to test who started the request. We maybe could user different decault decnet accounts for each node, but we have aboud 100 nodes in several areas, so the updating would be too much. Another thing. I'd like to know how you have arranged delivering job output to the jobs's sender. We have a temporary solution based on a JCL comment card that contains a forward address but would like to have a better solution. Pekka Kyt|laakso ======================================================================== Finnish State Computing Centre Phone + 358 0 4571 University Support Department Telex 125833 vtkk sf P.O Box 40 SF-02101 ESPOO FINLAND NETMGR@FINFUN.EARN ========================================================================