vtcf@NCSC.ARPA (Williams) (10/23/87)
Is there a way to restrict the use of a certain image to a specific processor? I have a "nearly" homogeneous cluster of two VAXes on a common system disk, with a common SYSUAF. I have some software that is only supposed to be used on one processor, and I'd like to keep my user's honest. Is there some easy way to do this? My first guess was some kind of ACE, but I have a feeling that there's an easier way. (I'm not sure that ACL's would work anyway.) Any hints, ideas, etc. are greatly appreciated. Thanks in advance Tom Williams vtcf@ncsc.arpa
MCGUIRE@GRIN2.BITNET (10/26/87)
> Date: Fri, 23 Oct 87 09:41:53 CDT > From: Williams <VTCF@NCSC.ARPA> > Subject: ACL's again > > Is there a way to restrict the use of a certain image to a specific > processor? SET FILE/ACL=(IDENTIFIER=*,ACCESS=NONE) file SET FILE/ACL=(identifier=SYS$NODE_scsnode,ACCESS=EXECUTE) file Source: Release Notes, Version 4.4, 2.2.10 Clusters--Limiting Access to Layered Products * * * * * Always check the table of contents in the release notes for changes in software that is running at a higher release level than the document you're reading. The Guide to VAX/VMS System Security was last updated in version 4.2. ---- Ed McGuire, Systems Coordinator, Grinnell College, MCGUIRE@GRIN2.BITNET
tedcrane@batcomputer.tn.cornell.edu (Ted Crane) (10/29/87)
In article <8710231441.AA02608@ncsc.ARPA> vtcf@NCSC.ARPA (Williams) writes: >Is there a way to restrict the use of a certain image to a specific >processor? ACL's would be one way to go. Try an ACE of the format: (IDENTIFIER=SYS$NODE_xxx,ACCESS=EXECUTE) where "xxx" is your node name You have to ensure that the protection check will fail if this ACE does not match: make sure there are no other ACE's that conflict, and that the protection bits are set to (S:RWED,O:RWED,G,W) (unless you don't want to grant access to the system and owner). I don't remember if there is a 'negated' identifier format in an ACE...if there is, you could say (IDENTIFIER=.not.SYS$NODE_xxx,ACCESS=none) and not have to worry about other ACE's or the protection bits. PS: SYS$NODE_xxx is an identifier created automatically by VMS, but you may choose to create it manually. It is granted to every user logged in on node "xxx"--dynamically, as they log in, like the identifiers INTERACTIVE, BATCH, LOCAL, REMOTE, etc.
jdc@ufcsg.cis.ufl.EDU (Jeff Capehart) (10/31/87)
I was looking at the different types of objects that an ACL can be placed on, when I tried /object=process and I got an error BAD PARAMETER. After searching through the DCLTABLES I did come across process as being a valid qualifier for the SET ACL command. My problem is that I do not know what object to specify. $ SET ACL/OBJ=PROCESS/ACL=(id=*,acc=r) will then prompt for $_Object Now what do you enter? I tried process names, process id's , and even UIC's and usernames. All gave BAD PARAMETER VALUE. I am assuming that DEC put this in as a future upgrade to ACL's, included the CLD for it but did not implement it. If anyone has gotten this to work I would be much appreciative. The SET ACL/obj=logical LNM$JOB is another neat feature. If you are another process and do SHOW LOG/STRUCTURE you will see all the tables you have access to. I am also curious as to find out these logical table names through a SYSTEM SERVICE or some call so that a program can make use of the access. Jeff Capehart Gainesville, FL