INFO-VAX Wed, 25 Apr 2007 Volume 2007 : Issue 226 Contents: $GETDVI and the clusterwide mount count Re: CLD vs. Autamatic Foreign Command; or what the heck do I use? Re: CLD vs. Autamatic Foreign Command; or what the heck do I use? Re: CLD vs. Autamatic Foreign Command; or what the heck do I use? DNS Attacks Re: DNS Attacks Re: DNS Attacks Re: DNS Attacks Re: DNS Attacks Re: F$SYMLINK_ATTRIBUTES ? Re: IT'S THAT TIME AGAIN - FREE DS10L OFFER iTechArt Group - Custom Software Development and Offshore outsourcing Company Re: New DCL qualifier suggestion. RE: New DCL qualifier suggestion. SET Security question Re: SET Security question Re: SET Security question Re: SET Security question Re: SET Security question Re: SET Security question Re: SET Security question Re: SET Security question Re: VMS 8.2 VMSINSTAL Bug with RUN_IMAGE Persists? Re: VMS 8.2 VMSINSTAL Bug with RUN_IMAGE Persists? Re: VMS 8.2 VMSINSTAL Bug with RUN_IMAGE Persists? Re: VMS Alpha to Itanium port Websphere MQ on OpenVMS clusters [OpenVMS V7.3-2] Difference between LAD0: and DAD0:? ---------------------------------------------------------------------- Date: 25 Apr 2007 13:31:20 -0500 From: brooks@cuebid.zko.hp.nospam (Rob Brooks) Subject: $GETDVI and the clusterwide mount count Message-ID: <4k6VbwQAvdUL@cuebid.zko.hp.com> A longstanding omission from the SYS$GETDVI system service (and F$GETDVI lexical function) is the inability to determine on how many nodes a device is mounted. The DCL command SHOW DEVICE *does* return that information, but the $GETDVI item code DVI$_MOUNTCNT returned the number of times a device is mounted on the local node (the use of the /SHARE qualifier on the MOUNT command can allow, in some cases, a device to be mounted more than once.) For various reasons, the environment in which $ SHOW DEVICE executes made solving the problem much easier than what was needed for the system service interface. For those that are curious, see the sources to [SYS]SYSGETDVI.MAR and [SYS]SYSGETDVI_SUBS.C when the V8.3-1H1 source listings are available. Given the above, the arrival of the new item code DVI$_MOUNTCNT_CLUSTER may be of interest. This item code will "first" appear in OpenVMS I64 V8.3-1H1, expected to ship some time in the fall of 2007. As V8.3-1H1 is a limited hardware release targetted for I64 blade systems, there will be no release for Alpha; the next general purpose release for OpenVMS Alpha will be V8.4. No backport for OpenVMS VAX will be done. This item code has been backported to V7.3-2, V8.2, V8.2-1, and V8.3, and will require future SYS (for $GETDVI) and DCL (for F$GETDVI) kits. There will be no backport for the RTL routine LIB$GETDVI. I expect that the kits for the above versions will be available in the next month or so. As an added bonus, another new item code (DVI$_ADAPTER_IDENT) that will first appear in V8.3-1H1 has been backported. This item code will return the identification string associated with an adapter in the configuration files SYS$SYSTEM:SYS$CONFIG.DAT and SYS$SYSTEM:SYS$USER_CONFIG.DAT. The item code pulls the string out of in-memory structures created (typically) at boot time or in response to the command SYSMAN IO REBUILD, not directly from the files themselves. But wait, there's more! This backport makes $GETDVI functionally equivalent to that which shipped in V8.3. That means that all item codes that exist in V8.3 will be useable on a system with the relevant SYS/DCL kits. The only caveat is that some of the LAN item codes added for V8.3 might not work correctly -- some of the boolean ones require LAN driver changes that may or may not be forthcoming. The documentation in the SYS kit will explain how to add the needed new item code definitions to $DVIDEF for your relevant language. No additional changes are needed to use the new item codes with F$GETDVI, once the required SYS and DCL kits are added. This is likely my last enhancement to $GETDVI; while still employed by HP in Nashua, I'm no longer a member of VMS Engineering. I hope to see some of you at the bootcamp next month! -- Rob Brooks MSL -- Nashua brooks!cuebid.zko.hp.com ------------------------------ Date: Wed, 25 Apr 2007 10:27:43 +0200 From: Joseph Huber Subject: Re: CLD vs. Autamatic Foreign Command; or what the heck do I use? Message-ID: Arne Vajh=F8j wrote: >=20 > I will assume that you with foreign command will use a > traditional Unix format switches. >=20 > For a multi platform app then I think you need to do one of: > - use foreign command with Unix style for same interface > - use CLD & CLI$ on VMS and getopt on Unix to use native interface > on all platforms >=20 Just adding 1 ct: for multiplatform use, not just the syntax parsing is involved, also the = content, at least if wildcard-filenames are involved: Unix type shells expand file-specs before passing the command-line to=20 the program, VMS DCL does not, but is has the file_scan and find_file=20 run-time routines. Some programmers prefer to expand the VMS commandline (C argv[]) before=20 calling a Unix-like getopt loop. A cleaner way would be to hide parsing=20 in platform dependent functions like get_next_option() and=20 get_next_filespec() . --=20 Joseph Huber - http://www.huber-joseph.de ------------------------------ Date: Wed, 25 Apr 2007 16:18:23 +0100 From: Tom Wade Subject: Re: CLD vs. Autamatic Foreign Command; or what the heck do I use? Message-ID: > As, should probably be very aparent, I'm rather new to VMS, and am > playing at doing some programming. Given that I want to create > multy-platform utilities and applications, do I want to use the CLD, > what I believe is Command Language Definitions or the Foreign Command > ... stuff? > > Are ther any pros and cons I should be aware of? That is, what should > influence my decision? I *think* that using the CDL will feel more > _native_ than using Foreign Command stuff, but does that matter? To > whom? My preference is to combine the two methods as follows: - write the program to accept a foreign command using Lib$Get_Foreign - pass the user command through the DCL parser using CLI$DCL_Parse - check the qualifiers and parameters using subsequent calls to CLI$Present and Cli$Get_Value This allows you to provide a full DCL like syntax for your program, without the need for anyone to put anything into DCLTABLES.EXE or to execute SET COMMAND commands. It only requires a symbol definition to use your program $ prog == "$wherever:myprog,exe" On a personal note, PLEASE PLEASE PLEASE do not inflict horrible single-character case dependent qualifiers on the VMS community. Stuff like $ prog -J -b flurg.txt -o foo.bar is an abomination, and should not not be allowed spread across to innocent operating systems. --------------------------------------------------------- Tom Wade | EMail: tee dot wade at eurokom dot ie EuroKom | Tel: +353 (1) 296-9696 A2, Nutgrove Office Park | Fax: +353 (1) 296-9697 Rathfarnham | Disclaimer: This is not a disclaimer Dublin 14 | Tip: "Friends don't let friends do Unix !" Ireland ------------------------------ Date: 25 Apr 2007 12:28:12 -0500 From: Kilgallen@SpamCop.net (Larry Kilgallen) Subject: Re: CLD vs. Autamatic Foreign Command; or what the heck do I use? Message-ID: In article , Tom Wade writes: > >> As, should probably be very aparent, I'm rather new to VMS, and am >> playing at doing some programming. Given that I want to create >> multy-platform utilities and applications, do I want to use the CLD, >> what I believe is Command Language Definitions or the Foreign Command >> ... stuff? >> >> Are ther any pros and cons I should be aware of? That is, what should >> influence my decision? I *think* that using the CDL will feel more >> _native_ than using Foreign Command stuff, but does that matter? To >> whom? > > My preference is to combine the two methods as follows: > > - write the program to accept a foreign command using Lib$Get_Foreign > - pass the user command through the DCL parser using CLI$DCL_Parse > - check the qualifiers and parameters using subsequent calls to > CLI$Present and Cli$Get_Value > > This allows you to provide a full DCL like syntax for your program, > without the need for anyone to put anything into DCLTABLES.EXE or to > execute SET COMMAND commands. It only requires a symbol definition to > use your program > > $ prog == "$wherever:myprog,exe" In writing products to be licensed to others, I require entry into DCLTABLES.EXE because: 1. Automatic prompting for missing parameters works better 2. One can never assume there is an SYLOGIN.COM or even a LOGIN.COM file. Of course this is mainly for software which must be installed with privilege, so there is no chance of an individual user running it on their own without running the installation. ------------------------------ Date: Wed, 25 Apr 2007 10:13:57 -0400 From: Chuck Aaron Subject: DNS Attacks Message-ID: I am getting a lot of DNS attacks from Asia Pacific Network and RIPE on ftp but mostly ssh. Instead of rejecting individual hosts ip addresses, what would be the best way to keep these networks from coming in? Is there a command or commands to lock out the entire range of IP's or is there a better way? Thanks in Advance, Chuck ------------------------------ Date: Wed, 25 Apr 2007 09:35:24 -0500 (CDT) From: sms@antinode.org (Steven M. Schweda) Subject: Re: DNS Attacks Message-ID: <07042509352461_2021AA69@antinode.org> From: Chuck Aaron > I am getting a lot of DNS attacks from Asia Pacific Network and RIPE on > ftp but > mostly ssh. Instead of rejecting individual hosts ip addresses, what > would be the > best way to keep these networks from coming in? Is there a command or > commands > to lock out the entire range of IP's or is there a better way? DNS? Huh? I normally just send the ANAL /AUDI /FULL [ /SINC = xxx ] report (and/or the FTP server log section) to the ISP. (I assume that the complaints to China just disappear, but they probably can't send me e-mail, so it's hard to say with confidence. Once in a while, I get abuse from systems using my own ISP, so I know that those get handled.) I seldom see repeats from the same places. When I do, I add an address or address range to the reject list (TCPIP SET SERVICE /REJECT = [...]). I seem to have about 8 individual hosts for FTP, 17 for SSH. No networks. (I do address ranges in SMTP.CONFIG, but I haven't had enough repeats for FTP or SSH or Telnet (rare) to bother for those.) It might be worth the effort to keep a chronological list somewhere, as you may eventually run out of space in the REJECT tables, and you may wish to replace an old entry with a new one. (A list of keep-forever addresses may also make sense, if they _really_ persist.) I do this for e-mail by maintaining a SMTP_REJECT.COM procedure which includes comments with the "set service SMTP /reject" commands. SMTP offers other options, so I reserve this for the worst repeaters. Judging by the file date-time, I haven't seen any e-mail flood problems since 23-OCT-2006 (just the every-day annoyances). ------------------------------------------------------------------------ Steven M. Schweda sms@antinode-org 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 ------------------------------ Date: 25 Apr 2007 17:03:40 +0200 From: peter@langstoeger.at (Peter 'EPLAN' LANGSTOeGER) Subject: Re: DNS Attacks Message-ID: <462f89ec@news.langstoeger.at> In article , Chuck Aaron writes: >I am getting a lot of DNS attacks from Asia Pacific Network and RIPE on >ftp but >mostly ssh. Instead of rejecting individual hosts ip addresses, what >would be the >best way to keep these networks from coming in? Is there a command or >commands >to lock out the entire range of IP's or is there a better way? Try looking into your firewall (as well as in your TCPIP manual ;-): $ UCX SET COMM/REJECT=NETWORK=(net1[:mask1],net2[:mask2],...) -- Peter "EPLAN" LANGSTOEGER Network and OpenVMS system specialist E-mail peter@langstoeger.at A-1030 VIENNA AUSTRIA I'm not a pessimist, I'm a realist ------------------------------ Date: Wed, 25 Apr 2007 17:18:58 +0000 (UTC) From: moroney@world.std.spaamtrap.com (Michael Moroney) Subject: Re: DNS Attacks Message-ID: peter@langstoeger.at (Peter 'EPLAN' LANGSTOeGER) writes: >In article , Chuck Aaron writes: >>I am getting a lot of DNS attacks from Asia Pacific Network and RIPE on >>ftp but >>mostly ssh. Instead of rejecting individual hosts ip addresses, what >>would be the >>best way to keep these networks from coming in? Is there a command or >>commands >>to lock out the entire range of IP's or is there a better way? >Try looking into your firewall (as well as in your TCPIP manual ;-): > $ UCX SET COMM/REJECT=NETWORK=(net1[:mask1],net2[:mask2],...) Unfortunately, there is a limit of 16 networks that can be locked out with that method. If you keep locking out networks as they start attacking, you'll soon use up those 16 entries. Another way to accomplish the same thing is to do a: TCPIP> SET ROUTE ne.tw.or.k/NET/MASK=netmask/GATEWAY=a.b.c.d where ne.tw.or.k is network base address to be denied access, netmask is the CIDR mask length of that network, and a.b.c.d is an address on your local LAN that is _not_ being used (nothing there). What happens is that responses to the incoming connection request go to the nonexistent gateway never to be heard from again, and the attacker gets no response. I think you have to issue that command twice, once with a /PERMANENT qualifier so they'll still be blocked after a reboot. ------------------------------ Date: 25 Apr 2007 12:28:41 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: DNS Attacks Message-ID: In article , Chuck Aaron writes: > I am getting a lot of DNS attacks from Asia Pacific Network and RIPE on > ftp but > mostly ssh. Instead of rejecting individual hosts ip addresses, what > would be the > best way to keep these networks from coming in? Is there a command or > commands > to lock out the entire range of IP's or is there a better way? Depending on your IP stack there should be a way to lock out networks by address and mask. Multinet certainly has it. ------------------------------ Date: 25 Apr 2007 12:01:18 +0200 From: peter@langstoeger.at (Peter 'EPLAN' LANGSTOeGER) Subject: Re: F$SYMLINK_ATTRIBUTES ? Message-ID: <462f430e$1@news.langstoeger.at> In article <1177451210.625590.218310@r30g2000prh.googlegroups.com>, R Boyd writes: >On Apr 24, 5:42 am, p...@langstoeger.at (Peter 'EPLAN' LANGSTOeGER) wrote: >> >> I haven't got one in my new OpenVMS Alpha V8.3. Is this a betatest, >> an Itanium only, or an ECO item? Do you have seen it already? > >The lexical function is not listed in the HELP LEX choices, but the >function is there on 2 of my V8.3 systems. I tested it with a couple >of the arguments for F$FILE_ATTRIBUTES and it works just fine. Yes, it isn't in the help, but I did try it and it wasn't there either. I've it now, too. Strange. I don't know how that happened... Is this just another rotten mind alert? -- Peter "EPLAN" LANGSTOEGER Network and OpenVMS system specialist E-mail peter@langstoeger.at A-1030 VIENNA AUSTRIA I'm not a pessimist, I'm a realist ------------------------------ Date: Wed, 25 Apr 2007 10:46:08 -0400 From: "David Turner, Island Computers" Subject: Re: IT'S THAT TIME AGAIN - FREE DS10L OFFER Message-ID: <132uqdaarua2hfc@news.supernews.com> Well via DHL probably about $150 "Mark Daniel" wrote in message news:132hv838nmlodc6@corp.supernews.com... > David Turner, Island Computers wrote: >> Like the homicidal Panda "Eats Shoots and leaves" > > Or like a bloke I used to work with whose nick-name was Wombat; > > "eats roots, shoots and leaves" > > And for those who may be less than full-bottle on Australian wildlife: > > http://en.wikipedia.org/wiki/Wombat > > Or not full-bottle on Anglo-Australian slang: > > http://en.wikipedia.org/wiki/Australian_English_vocabulary#Sport > http://www.koalanet.com.au/australian-slang.html#R > > And to keep it on-topic: What would be the shipping for a DS10L to .au and > what does it offer my AU$100 PWS500au doesn't? [both rhetorical :-] > > -- > Odium theologicum ... > http://en.wikipedia.org/wiki/Odium_theologicum > >> wrote in message >> news:OFC15BE405.8AA2C9CB-ON852572C2.0077B426-852572C2.0077CE8A@metso.com... >> >>> >>> >>>AEF wrote on 04/19/2007 03:21:59 PM: >>> >>> >>>>On Apr 19, 2:35 pm, "David Turner, Island Computers" >>>islandco.com> wrote: >>>> >>>>>SEND US YR EMAIL ADDRESS, TEL# AND >>>>>NAME OF COURSE IF YOU HAVEN'T ALREADY >>>> >>>>Name of course? Say what? >>> >>>Well, that's why punctuation was invented. >>> >>>"...NAME, OF COURSE, IF...." ;-) >>> >>> >>>>>SUBJECT LINE MUST STATE: FREE DS10L >>>>> >>>>>-- >>>>>David B Turner >>>> >>>>[...] >>>> >>>>AEF >>>> >>> >> ------------------------------ Date: 25 Apr 2007 08:32:04 -0700 From: VB Subject: iTechArt Group - Custom Software Development and Offshore outsourcing Company Message-ID: <1177515123.929635.86970@r35g2000prh.googlegroups.com> iTechArt Group - Custom Software Development and Offshore outsourcing Company http://www.itechart.com/ Offshore custom software development company iTechArt - Web site and Content Management Solutions development, CMS consulting: Ektron, Drupal and DotNetNuke iTechArt Group provides high quality custom software development services and offshore software development. On December 2006, iTechArt Group became an authorized Microsoft Certified Partner. This means that our company has been recognized by Microsoft for our vast expertise and authorized to custom software development; provide IT service consulting and custom business solutions. Custom Software Development and Offshore outsourcing Company iTechArt has worked together since 2003 to design build and deliver .NET Web Content Management software solutions that help clients meet their strategic objectives. We are agile oriented development partner able to consistently deliver solid results. iTechArt software development team assemblies specialists in the development of custom software applications and offshore software outsourcing services. Working concepts of our company are based on proven approaches and international standards used for custom software development such as Capability Maturity Model Integration for Software Engineering (CMMI- SW). In the same breath we have our own standpoint on software development process management which is fully effective and comprehensible for our clients. iTechArt offers software development in the next main directions: 1. Custom Software Development (Offshore outsourcing for worldwide based software development companies.) 2. Software Development for Digital Signage (Media content development and remote displays / information kiosks Web-based software application management.) 3. Web Site Development (E-commerce solutions, CMS/DotNetNuke/Ektron/ Drupal, Web 2.0/PHP/MySQL/AJAX, Flash/Action script/Flex and many more.) 4. Offshore Development Center (Dedicated development team of software developers. Our offshore development centers operate as an extension to clients' existing software engineering business.) Contact iTechArt ( http://www.itechart.com/ )about custom software development, end-to-end software solutions, outsourcing software development, custom DotNetNuke module development, DotNetNuke consulting, dotnetnuke hosting, first class Java and .Net developers, software application design, software testing, Quality Assurance, functionality testing and defect analysis, performance and stress testing, usability testing, Microsoft Media Services and Adobe Media Flash Server solutions, digital signage solutions and custom development, Ektron CMS400.NET developers, CMS, .NET Web Content Management software solutions Web: http://www.itechart.com/ http://www.itechart.com/Pages/ProductsServices/HowWeWork.aspx http://www.itechart.com/Pages/ProductsServices/BusinessModels.aspx http://www.itechart.com/Pages/ProductsServices/CustomSoftwareDevelopment.aspx http://www.itechart.com/Pages/ProductsServices/DotNetNukeModuleDevelopment.aspx ------------------------------ Date: Wed, 25 Apr 2007 10:21:20 GMT From: =?ISO-8859-1?Q?Jan-Erik_S=F6derholm?= Subject: Re: New DCL qualifier suggestion. Message-ID: I regulary do this in my DCL's : $ if f$search("some-file" or "some-symbol") .nes. "" $ then $ delete/whatever "some-file" or "some-symbol" $ endif I've never had any problem with that... Jan-Erik. ------------------------------ Date: Wed, 25 Apr 2007 07:37:01 -0400 From: "Farrell, Michael" Subject: RE: New DCL qualifier suggestion. Message-ID: <085BCCCF596B684092B66310B1D3BA7D05AE390D@NJ103EX1.EAST.VIS.COM> There is a "DEL/NOLOG ". We use it all the time. Mike -----Original Message----- From: Dave Weatherall [mailto:djw-nothere@nospam.nohow]=20 Sent: Wednesday, April 25, 2007 1:01 AM To: Info-VAX@Mvb.Saic.Com Subject: Re: New DCL qualifier suggestion. On Tue, 24 Apr 2007 13:36:29 UTC, BaxterD@tessco.com wrote: > I have a very complex End-of-Day process which is primarily DCL > scripts. I also have a (very simplistic) error checking job which > examines the process log files for errors. > The biggest nuisance I have to deal with is error and warning > messages generated by general "Delete" and "Purge" commands, (with or > without wildcards), when the target file(s) are not found. > I know that I can get rid of these messages by doing a > conditional delete (i.e. if f$search("filename") .nes. "") or by > turning off messaging, however the first option requires a lot of > extra code to do the condition checking, and the second option is to > generic. >=20 > What would be really nice would be a qualifier which would allow > this to be turned of selectively, and stop the program from generating > the messages. I am thinking of something like >=20 > $ Delete/Suppress >=20 > which would suppress any errors or warnings for that specific command > execution. /NoSuppress could be the default, and it could be made > available for most DCL commands, but specifically (to meet my needs) > for Delete and Purge. >=20 > Anyone else like the idea (Are you listening Guy Peleg!!) I just save, switch off and restore error reporting around deletes and purges that I _know_ could cause confusing errors. Had there been a '=20 DEL /NOLOG' I would have used it. This is from memory and probably wrong :- $ message_save =3D f$environment ("message") $ set mess /nofac /notext /nosev/noid $ delete stuff $ ! optional status checking to catch _unexpected_ errors $ set mess 'message_save' --=20 Cheers - Dave W. ------------------------------ Date: Wed, 25 Apr 2007 15:51:35 +0200 From: Martin Krischik Subject: SET Security question Message-ID: <462f5ce8$1@news.post.ch> Hi, I want to set the security of a file so it is accessible by me alone. I tried the all the variations on SET Security I could think of but none worked out: SET Security /Protection=(O:RWED) SET Security /Protection=(S:,O:RWED,G:,W:) SET Security /Protection=(S:-,O:RWED,G:-,W:-) What's the secret? Martin ------------------------------ Date: Wed, 25 Apr 2007 09:56:22 -0400 From: "Rick Barry" Subject: Re: SET Security question Message-ID: Something like this? $ set sec/prot=(s,o:rwed,g,w) t.t $ sho sec t.t SYS$SYSROOT:[SYSMGR]T.T;1 object of class FILE Owner: [SYSTEM] Protection: (System, Owner: RWED, Group, World) Access Control List: Richard Barry OpenVMS System Software Group Hewlett Packard Company "Martin Krischik" wrote in message news:462f5ce8$1@news.post.ch... > Hi, > > I want to set the security of a file so it is accessible by me alone. I > tried the all the variations on SET Security I could think of but none > worked out: > > SET Security /Protection=(O:RWED) > SET Security /Protection=(S:,O:RWED,G:,W:) > SET Security /Protection=(S:-,O:RWED,G:-,W:-) > > What's the secret? > > Martin ------------------------------ Date: Wed, 25 Apr 2007 15:02:15 +0100 From: "Richard Brodie" Subject: Re: SET Security question Message-ID: "Martin Krischik" wrote in message news:462f5ce8$1@news.post.ch... > SET Security /Protection=(O:RWED) > SET Security /Protection=(S:,O:RWED,G:,W:) > SET Security /Protection=(S:-,O:RWED,G:-,W:-) > > What's the secret? Write (O:RWED, S, G, W). "Help hints" can be useful at times: "help hints security protection_codes" ------------------------------ Date: Wed, 25 Apr 2007 09:05:27 -0500 (CDT) From: sms@antinode.org (Steven M. Schweda) Subject: Re: SET Security question Message-ID: <07042509052777_202002DA@antinode.org> From: Martin Krischik > I want to set the security of a file so it is accessible by me alone. I > tried the all the variations on SET Security I could think of but none > worked out: > > SET Security /Protection=(O:RWED) > SET Security /Protection=(S:,O:RWED,G:,W:) > SET Security /Protection=(S:-,O:RWED,G:-,W:-) > > What's the secret? Read the HELP? They put those brackets where they do for a reason. SET SECURITY /PROTECTION /PROTECTION=(ownership[:access][,...]) [...] SET Security /Protection=(S,O:RWED,G,W) ------------------------------------------------------------------------ Steven M. Schweda sms@antinode-org 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 ------------------------------ Date: Wed, 25 Apr 2007 10:39:43 -0400 From: norm.raphael@metso.com Subject: Re: SET Security question Message-ID: Protection codes notwithstanding, If a process has READALL, I believe it will be able to read the file, and if it has BYPASS .... What are you really trying to accomplish? sms@antinode.org (Steven M. Schweda) wrote on 04/25/2007 10:05:27 AM: > From: Martin Krischik > > > I want to set the security of a file so it is accessible by me alone. I > > tried the all the variations on SET Security I could think of but none > > worked out: > > > > SET Security /Protection=(O:RWED) > > SET Security /Protection=(S:,O:RWED,G:,W:) > > SET Security /Protection=(S:-,O:RWED,G:-,W:-) > > > > What's the secret? > > Read the HELP? They put those brackets where they do for a reason. > > SET > > SECURITY > > /PROTECTION > > /PROTECTION=(ownership[:access][,...]) > [...] > > SET Security /Protection=(S,O:RWED,G,W) > > ------------------------------------------------------------------------ > > Steven M. Schweda sms@antinode-org > 382 South Warwick Street (+1) 651-699-9818 > Saint Paul MN 55105-2547 ------------------------------ Date: Wed, 25 Apr 2007 17:05:33 +0200 From: Martin Krischik Subject: Re: SET Security question Message-ID: <462f6e3d$1@news.post.ch> norm.raphael@metso.com schrieb: > Protection codes notwithstanding, If a process has READALL, I believe it > will be able to read the file, and if it has BYPASS .... Yes, I know about those two - just like unix where you can't protect anything from the root user. Martin ------------------------------ Date: 25 Apr 2007 12:23:11 -0500 From: Kilgallen@SpamCop.net (Larry Kilgallen) Subject: Re: SET Security question Message-ID: In article <462f6e3d$1@news.post.ch>, Martin Krischik writes: > norm.raphael@metso.com schrieb: > >> Protection codes notwithstanding, If a process has READALL, I believe it >> will be able to read the file, and if it has BYPASS .... > > Yes, I know about those two - just like unix where you can't protect > anything from the root user. In suggesting 800-53 security assessment policies, I recommend looking with skepticism on any files protected against SYSTEM access, as likely being an indication that somebody does not understand how things work. ------------------------------ Date: 25 Apr 2007 12:27:04 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: SET Security question Message-ID: In article <462f5ce8$1@news.post.ch>, Martin Krischik writes: > Hi, > > I want to set the security of a file so it is accessible by me alone. I > tried the all the variations on SET Security I could think of but none > worked out: > > SET Security /Protection=(O:RWED) > SET Security /Protection=(S:,O:RWED,G:,W:) > SET Security /Protection=(S:-,O:RWED,G:-,W:-) > > What's the secret? HELP SET SECURITY /PROTECTION Wherein you shall find that the : is included only if one or more of REWD is included. "/PROTECTION=(ownership[:access][,...])", note that the : is after the [ . /protection=(s,o:rwed,g,w) ------------------------------ Date: Wed, 25 Apr 2007 13:18:25 GMT From: rdeininger@mindspringdot.com (Robert Deininger) Subject: Re: VMS 8.2 VMSINSTAL Bug with RUN_IMAGE Persists? Message-ID: In article , "Richard Maher" wrote: >Hi Robert, >> >> V8.2 Alpha is still supported. > >Fabulous! So then one could be forgiven for thinking that bug-fixes >(especially those as simple as "Here's another copy of the 3.5K line DCL >command file VMSINSTAL.COM") would be forthcoming? Hell, it works again in >8.3; why can't they just put that version on a patch kit and say here it is? I'm not familiar with the details of whatever VMSINSTAL problem you are complaining about. That's ok, since this isn't a support forum, and everyone understands that you won't get formal support here. If you found a bug in VMSINSTAL, log a support call. I assume you have a support contract. If you don't have one, then VMS V8.2 on Alpha is NOT "supported" for you, and you are relying on volunteer/charity work to help you with your problems. I understand that it is work to log a support call, and more work if you do it well than if you do it poorly. (Your problem description in the original post definitely falls in the "poorly" category. But that's ok because this isn't a support forum.) You need to supply answers to a number of questions, both technical and bureaucratic. You need to understand the problem well enough to explain it. ("It's broken!" is NOT a useful problem report, no matter how many pages of flowery, confrontational, non-specific prose are used to say "It's broken".) Sometimes you need the patience to explain the problem to someone whose understanding is much less than your own. So I understand that it is easier to wait for someone else to log the call, and hope that a solution appears for "free" in the form of a patch kit. And it's fun to bitch in public while you wait for the solution you hope someone asked for. If you log a call for a bug in a supported product, and your problem report is reasonable, and the problem can be reproduced, then you should expect HP to provide a solution, TO YOU. Not every solution turns into a patch kit, for a number of reasons. If you need the solution to turn into a patch kit, the first, and obvious step, is to ASK for one, and perhaps explain why it's needed. Most, if not all, VMS patch kits are explicitly requested, either by a customer or by a VMS developer. And VMS developers do NOT request kits for every bug they fix. Doing so would overwhelm the patch delivery process with very little benefit to anyone. In the worst case, the fixes will ship in the next release. More often, batches of fixes will go out in patch kits when they are collectively urgent enough to justify it. >This is my take on what's happened: - >1) Digital employees can't help but get all excited over bullshit concepts >such as "seperating Form and Funtion" or providing IT's Holy Grail of a >"Truly *NON*-procedural" software installation kit. (Yawn) >2) No real person shares their bollocks enthusiasm, so we are punished by >having our Developer's Guide to VMSINSTAL stuffed into the Archived >Documents section. >3) No longer content with merely spitting at us as he walks by, some wanker >decides that RUN_IMAGE: should actually do an Analyze/Image on the file >first (to see if it is really an image?) (to get that warm fuzzy feeling?), >but not bother to test it :-( >4) It get's fixed for 8.3 but he won't backport it to 8.2 'cos that famous >Digital arrogance tells him that "No one should be using RUN_IMAGE anyway" >or "Your code was always broken" or "It's a feature" or "The work around is >to upgrade to 8.3" you little shit of a customer! (Move to PCSI before I >fart in your general direction, you objectionable little man) > >Sound about right? Er, no. I'm having my usual trouble understanding your prose. (I don't remember what misjudgement led me to actually read it.) Are you seeking a solution to a problem or are you just venting? Do you enjoy writing these little ditties that border on hysterical and offensive? So you think a lot of people are entertained by them? Do you think your rants make folks WANT to help you? Have you ever considered that you might get better results asking for help if you weren't a pain in the ? To the extent I do understand what you wrote above, it's seems almost totally disconnected from the real world. I detect nothing in your description that matches how VMS design decisions and support cases are handled. I can't address your points because none of my experience connects with them. >All I want to do is, at install time, run a little program that checks the >UAF. Is there a bug/patch reference I can pass on to people so that their >path through HP support can be smoothed if they are lucky enough to come >across this issue? That's a PERFECT question for HP support. Have you asked there? >Cheers Richard Maher > >"Robert Deininger" wrote in message >news:rdeininger-2404070858500001@dialup-4.233.173.47.dial1.manchester1.level3.net... >> In article , "Richard Maher" >> wrote: >> >> >Hi, >> > >> >There was/is a bug with VMSINSTAL's Run_Image callback on 8.2 machines >that >> >exhibited the following symptoms at product installation time: - >> > >> >* Do you want to purge files replaced by this installation [YES]? >> >%ANALYZE-E-OPENIN, error opening MISSING:[MISSING]VMI$NEW.EXE; as input >> >-SYSTEM-W-NOSUCHDEV, no such device available >> >%VMSINSTAL-E-INSFAIL, The installation of TIER3A V3.1 has failed. >> > >> >The problem is that I've just had someone upgrading to 8.2 (Why not 8.3? >I >> >dunno :-) and the bug appears to still be there :-( >> > >> >VMS 8.2 is still supported, is it not? Has anyone got a patch reference: >> >> V8.2 Alpha is still supported. >> >> V8.2 I64 supported ended Dec. 31, 2006. ------------------------------ Date: 25 Apr 2007 08:32:06 -0500 From: Kilgallen@SpamCop.net (Larry Kilgallen) Subject: Re: VMS 8.2 VMSINSTAL Bug with RUN_IMAGE Persists? Message-ID: In article , "Richard Maher" writes: > Hi Robert, >> >> V8.2 Alpha is still supported. > > Fabulous! So then one could be forgiven for thinking that bug-fixes > (especially those as simple as "Here's another copy of the 3.5K line DCL > command file VMSINSTAL.COM") would be forthcoming? Hell, it works again in > 8.3; why can't they just put that version on a patch kit and say here it is? I have not been following this thread. Are you saying that you reported a problem through formal support channels and they are failing to address it when you can show they know how to fix it ? If that is the case, you should demand the money back you paid for that support contract. ------------------------------ Date: Wed, 25 Apr 2007 10:48:34 -0400 From: "FredK" Subject: Re: VMS 8.2 VMSINSTAL Bug with RUN_IMAGE Persists? Message-ID: "Robert Deininger" wrote in message news:rdeininger-2504070918250001@dialup-4.233.173.73.dial1.manchester1.level3.net... > In article , "Richard Maher" > wrote: > >>Sound about right? > > Er, no. > > I'm having my usual trouble understanding your prose. (I don't remember > what misjudgement led me to actually read it.) Are you seeking a solution > to a problem or are you just venting? Do you enjoy writing these little > ditties that border on hysterical and offensive? So you think a lot of > people are entertained by them? Do you think your rants make folks WANT > to help you? Have you ever considered that you might get better results > asking for help if you weren't a pain in the ? > I have to say that despite the odd chuckle I get when Richard actually lands a bullseye, I for the most part don't read what he writes - because of the invective. Participation in COV isn't part of our job descriptions - so I don't have to respond to things that are just too far over the top. Sometimes it isn't worth trying to pull out the nugget of a question or suggestion to address. Given the other streams of complete time-wasting-stupidity in COV the last few weeks, it was easy to overlook. I only went *back* and read it to try to figure out what this was all about. I appreciate that Richard is frustrated, but his reaction to the frustration doesn't win him many points. >>1) Digital employees can't help but get all excited over bullshit concepts >>such as "seperating Form and Funtion" or providing IT's Holy Grail of a >>"Truly *NON*-procedural" software installation kit. (Yawn) I don't work for Digital (RIP), I work for HP. Having had to deal with VMSINSTAL on both ends (creating installations and installing products) - PCSI with all it's faults is lightyears better. While I had nothing to do with this particular issue - frankly I find nothing in this bullet except a insult to all former Digital employees. Feel free to look me up in the source listings. The engineer that introduced the problem has retired - and was an excellent kernel engineer and spent a lot of time working with customers issues. The guy who fixed the problem is about as customer focused an engineer that I know. Both of whom you would do well to be nice to, one of whom I believe reads COV but seldom writes. Both of whom you can find in the source listings as well. >>2) No real person shares their bollocks enthusiasm, so we are punished by >>having our Developer's Guide to VMSINSTAL stuffed into the Archived >>Documents section. So you don't like PCSI. It's like complaining that we don't use PIP for backup. It isn't like we stopped supporting VMSINSTAL - heck we ported it to IPF which is where the bug was introduced. But clearly *we* believe that PCSI is a superior method for someone who wants to develop a product installation. We invested a lot of time and energy into creating something better than VMSINSTAL. >>3) No longer content with merely spitting at us as he walks by, some >>wanker >>decides that RUN_IMAGE: should actually do an Analyze/Image on the file >>first (to see if it is really an image?) (to get that warm fuzzy >>feeling?), >>but not bother to test it :-( It was done to determine image architecture when used on IA64. Not tested? Apparently not enough. Or at least not with a kit that used that feature. Not really an excuse. But it was hardly done on a whim - it was a TYPO with a symbol name. Frankly it appears that the code had been checked in for several *years* before someone stumbled onto the problem. >>4) It get's fixed for 8.3 but he won't backport it to 8.2 'cos that famous >>Digital arrogance tells him that "No one should be using RUN_IMAGE anyway" >>or "Your code was always broken" or "It's a feature" or "The work around >>is >>to upgrade to 8.3" you little shit of a customer! (Move to PCSI before I >>fart in your general direction, you objectionable little man) The guy who fixed the problem checked it into V8.2R. Backporting isn't an issue. The sole issue is that it hasn't been included in any V8.2 patch kit. Have you requested one? I searched for the snippet you quote from one of "COVs kind souls" and can't find it. So I assume that was from an e-mail. Did he report it? To be honest, we try to generate patch kits for the "mainstream" versions - even when the mainstream is sometimes beyond support end of life (like V7.3-2). V8.2 falls into the category of "lightly used" - so patches there tend to get generated when a customer requests one. ------------------------------ Date: Wed, 25 Apr 2007 10:07:42 -0400 From: "Syltrem" Subject: Re: VMS Alpha to Itanium port Message-ID: <132uo5fjhtmk8dd@corp.supernews.com> > Syltrem wrote: >> Hi >> >> I ported mostly subroutines (many linked to one big shareable image) , >> and some executables. >> >> I did not have problems. >> >> Only thing is, I have a Basic USEROPEN routine that coule return the file >> creation date and protection info, but this one no longer compiles. >> This is true on Alpha and IA64. >> >> You may be missing some of the stuff in BASIC$STARLET.TLB if you use >> that. >> For instance $IMPDEF was missing. >> >> For my USEROPEN, that's where the problem lies... they changed the >> definitions to XABDET, XABDATDEF, etc somewhere between now and 10 years >> ago when I last compiled the program (when migrating from VAX to Alpha). >> >> If you have a useropen routine that works, I would gladly have it :-) >> I still have to get the one I have to work (a bit complicated and not >> enough time...). >> >> Good luck with your porting. >> >> Syltrem >> No zulu in my email >> >> > I have managed to decode the new XAB break up and have a useropen that > returns the actual file name (with the version #). If you send your > useropen to me I could take a look for you. > > Jeff Coffield Hein was kind enough to fix the useropen for me Here it is for others to use FUNCTION LONG IVAP0049STD (FABDEF FAB, RABDEF RAB, LONG CHANNEL) ! Gets size and creation date of an opened file OPTION TYPE = EXPLICIT %INCLUDE "$FABDEF" %FROM %LIBRARY "SYS$LIBRARY:BASIC$STARLET.TLB" %INCLUDE "$RABDEF" %FROM %LIBRARY "SYS$LIBRARY:BASIC$STARLET.TLB" %INCLUDE "$XABDEF" %FROM %LIBRARY "SYS$LIBRARY:BASIC$STARLET.TLB" %INCLUDE "$XABDATDEF" %FROM %LIBRARY "SYS$LIBRARY:BASIC$STARLET.TLB" %INCLUDE "$XABPRODEF" %FROM %LIBRARY "SYS$LIBRARY:BASIC$STARLET.TLB" ! Ces nouvelles définitions sont une gracieuseté de Hein van den Heuvel 24-APR-2007 ! Beaucoup de choses ont changé en 12 ans... RECORD xabdat VARIANT CASE XABDEF xxab ! Shared part for COD, BLN, SPARE AND NXT CASE XABDATDEF xxabdat ! specific part END VARIANT END RECORD xabdat RECORD xabprot VARIANT CASE XABDEF xxab ! Shared part for COD, BLN, SPARE AND NXT CASE XABPRODEF1 xxabprot ! specific part END VARIANT END RECORD xabprot DECLARE xabdat XAB_DAT DECLARE xabprot XAB_PRO EXTERNAL LONG FUNCTION SYS$OPEN, SYS$CONNECT DECLARE LONG STAT, basic_rtl_provided_xabfhc MAP (MAP_IVAP0049STD) & BASIC$QUADWORD Cre_Date, & LONG File_Size, & WORD Rec_Length, & LONG File_Owner_UIC MAP (MAP_IVAP0049STD) & Long Cre_Date_L1, & Cre_Date_L2, & String Fill = 6%, & Word File_Owner_UIC_Mbr, & File_Owner_UIC_Grp Init: Rec_Length = 0 File_Size = 0 Cre_Date_L1 = 0 Cre_Date_L2 = 0 File_Owner_UIC = 0 Begin: basic_rtl_provided_xabfhc = FAB::FAB$L_XAB FAB::FAB$L_XAB = LOC(XAB_DAT) XAB_DAT::XAB$B_COD = XAB$C_DAT ! 1er XAB = infos sur les dates XAB_DAT::XAB$B_BLN = XAB$C_DATLEN XAB_DAT::XAB$L_NXT = loc(XAB_PRO::XAB$B_COD) ! Pointeur au 2e XAB XAB_PRO::XAB$B_COD = XAB$C_PRO ! 2e XAB = infos sur les protections XAB_PRO::XAB$B_BLN = XAB$C_PROLEN XAB_PRO::XAB$L_NXT = basic_rtl_provided_xabfhc ! Rajoute a Fin de la liste STAT = SYS$OPEN(FAB) STAT = SYS$CONNECT (RAB) IF (STAT AND 1%) = 1% Rec_Length = FAB::FAB$W_MRS File_Size = FAB::FAB$L_ALQ Cre_Date = XAB_DAT::XAB$Q_CDT File_Owner_UIC = XAB_PRO::XAB$L_UIC FAB::FAB$L_XAB = basic_rtl_provided_xabfhc ! Efface linkage de nos XABs IVAP0049STD = STAT END FUNCTION ------------------------------ Date: Wed, 25 Apr 2007 14:22:58 +0200 From: "Jan Sierens" Subject: Websphere MQ on OpenVMS clusters Message-ID: <462f4821$0$7361$4d4efb8e@read.news.be.uu.net> We are currently looking for help on implementing IBM Websphere MQ failover sets on a OpenVMS Cluster. Can anyone help ? jan(dot)sierens(at)agceurope(dot)com ------------------------------ Date: 25 Apr 2007 16:51:14 +0200 From: peter@langstoeger.at (Peter 'EPLAN' LANGSTOeGER) Subject: [OpenVMS V7.3-2] Difference between LAD0: and DAD0:? Message-ID: <462f8702$1@news.langstoeger.at> With the old InfoServer support files contained in VMS one had to start $ @SYS$STARTUP:ESS$STARTUP DISK, TAPE to get a DAD0: (disk) and a MAD0: (tape) template device. With it it was then possible to map a service to a local virtual disk (DADx:) eg. $ ladcp:==$LADCP $ ladcp BIND/SYS ALPHA082 $ MOUNT/SYSTEM/NOWRITE DAD$ALPHA082 ALPHA082 But then came along (when?) a startup file SYS$STARTUP:ESS$LAD_STARTUP.COM which essentially loads a LAD0: template device/driver and issues the (undocumented) command (controlled by a ESS$LAD_STARTUP.DAT config file) $ ladcp SET CACHE/... I still do not see the reason for this file and/or this LAD device/driver. Was it only there for the InfoServer client software cache? It surely doesn't replace ESS$STARTUP, as you don't need to run/start it to get InfoServer disks (client) and running/starting ESS$LAD_STARTUP without the ESS$STARTUP gives a "LADCP-E-NOCLIENT, client driver not available" (if binding a service). So what is/was ESS$LAD_STARTUP.COM intended for? Can anyone shed any light on it, please. TIA -EPLAN PS: I know, that in VMS V8 ESS$LAD_STARTUP starts the InfoServer process. And this process *might* need LAD. But in V7 there is no InfoServer process. So, should I assume, that it (always) is/was part of the Infoserver server software but only took some versions of VMS to finally become functional? PPS: In earlier versions it was ESS$LASTDRIVER and ESS$LADDRIVER Now it is SYS$LASTDRIVER, SYS$LADDRIVER, ... When did the rename happen? With the VAX to Alpha transition perhaps? -- Peter "EPLAN" LANGSTOEGER Network and OpenVMS system specialist E-mail peter@langstoeger.at A-1030 VIENNA AUSTRIA I'm not a pessimist, I'm a realist ------------------------------ End of INFO-VAX 2007.226 ************************