Discussion:
Job logicals linked to a process
(too old to reply)
Chris Townley
2021-01-08 22:24:33 UTC
Permalink
Just wondering - looking at job logicals, where the LNM table is similar
to LNM$JOB_81DC4940

I was wondering how to link a process to a particular table. Looking at
the the reference above, here 81DC4940, I could not see the connection
until I looked at SDA, where this is shown as the JIB address.

I cannot find this in f$getjpi (so presumably not in LIB$GETJPI or even
$GETJPI

Any thoughts on how to find/link this, or even what it is?


Chris
Stephen Hoffman
2021-01-08 22:30:31 UTC
Permalink
Post by Chris Townley
Just wondering - looking at job logicals, where the LNM table is
similar to LNM$JOB_81DC4940
I was wondering how to link a process to a particular table. Looking at
the the reference above, here 81DC4940, I could not see the connection
until I looked at SDA, where this is shown as the JIB address.
I cannot find this in f$getjpi (so presumably not in LIB$GETJPI or even $GETJPI
Any thoughts on how to find/link this, or even what it is?
https://groups.google.com/g/comp.os.vms/c/Pxx10F5ULtU/m/vQ142iMpAgAJ
--
Pure Personal Opinion | HoffmanLabs LLC
Chris Townley
2021-01-08 22:59:56 UTC
Permalink
Post by Stephen Hoffman
Post by Chris Townley
Just wondering - looking at job logicals, where the LNM table is
similar to LNM$JOB_81DC4940
I was wondering how to link a process to a particular table. Looking
at the the reference above, here 81DC4940, I could not see the
connection until I looked at SDA, where this is shown as the JIB address.
I cannot find this in f$getjpi (so presumably not in LIB$GETJPI or even $GETJPI
Any thoughts on how to find/link this, or even what it is?
https://groups.google.com/g/comp.os.vms/c/Pxx10F5ULtU/m/vQ142iMpAgAJ
Thanks

Chris
Stephen Hoffman
2021-01-08 22:54:45 UTC
Permalink
Post by Chris Townley
Just wondering - looking at job logicals, where the LNM table is
similar to LNM$JOB_81DC4940
I was wondering how to link a process to a particular table. Looking at
the the reference above, here 81DC4940, I could not see the connection
until I looked at SDA, where this is shown as the JIB address.
I cannot find this in f$getjpi (so presumably not in LIB$GETJPI or even $GETJPI
Any thoughts on how to find/link this, or even what it is?
Ignore my previous link.

It's the job information block JIB address, in hexadecimal.

AFAIK, there's no supported means to locate the name of a process'
LNM$JOB, but there are hack-ish means.

Best to use your own shared logical name table, if you need to share
some sort of data.

This gets discussed occasionally.

https://groups.google.com/g/comp.os.vms/c/JF9CD3GsrEU/m/8PTZKpYy3FoJ
https://groups.google.com/g/comp.os.vms/c/JvayAq2U3JU/m/C95h2FeWdPAJ
https://groups.google.com/g/comp.os.vms/c/al6XGcd1ZUk/m/LpvPbE2ddYUJ
https://groups.google.com/g/comp.os.vms/c/jl04QQb02IA/m/Qq4N2LPtTRYJ
etc.

I'm skeptical about using logical names for much of what they tend to
get (mis)used for—pretty much anything other than a device or file or
file path—but others are quite fond of this approach.
One of the more common mis-uses: configuration data is best stored in a
configuration file. I've used this myself as it's relatively quick and
easy, and have often come to regret the results.
--
Pure Personal Opinion | HoffmanLabs LLC
Chris Townley
2021-01-08 23:07:28 UTC
Permalink
Post by Stephen Hoffman
Post by Chris Townley
Just wondering - looking at job logicals, where the LNM table is
similar to LNM$JOB_81DC4940
I was wondering how to link a process to a particular table. Looking
at the the reference above, here 81DC4940, I could not see the
connection until I looked at SDA, where this is shown as the JIB address.
I cannot find this in f$getjpi (so presumably not in LIB$GETJPI or even $GETJPI
Any thoughts on how to find/link this, or even what it is?
Ignore my previous link.
It's the job information block JIB address, in hexadecimal.
AFAIK, there's no supported means to locate the name of a process'
LNM$JOB, but there are hack-ish means.
Best to use your own shared logical name table, if you need to share
some sort of data.
This gets discussed occasionally.
https://groups.google.com/g/comp.os.vms/c/JF9CD3GsrEU/m/8PTZKpYy3FoJ
https://groups.google.com/g/comp.os.vms/c/JvayAq2U3JU/m/C95h2FeWdPAJ
https://groups.google.com/g/comp.os.vms/c/al6XGcd1ZUk/m/LpvPbE2ddYUJ
https://groups.google.com/g/comp.os.vms/c/jl04QQb02IA/m/Qq4N2LPtTRYJ
etc.
I'm skeptical about using logical names for much of what they tend to
get (mis)used for—pretty much anything other than a device or file or
file path—but others are quite fond of this approach.
One of the more common mis-uses: configuration data is best stored in a
configuration file. I've used this myself as it's relatively quick and
easy, and have often come to regret the results.
It was more of a hypothetical, historical thing. I had thought of piping
the output from SDA, but I thought there might be any easier way. Not as
a means of sharing data, but identifying what a process was - too many
shared usernames!

One always learns a bit!

Thanks


Chris
Stephen Hoffman
2021-01-09 00:01:01 UTC
Permalink
Post by Chris Townley
It was more of a hypothetical, historical thing. I had thought of
piping the output from SDA, but I thought there might be any easier
way. Not as a means of sharing data, but identifying what a process was
- too many shared usernames!
Shared usernames aren't a technical issue.

That's an accountability issue.

Who knows how far a shared password gets.

You can institute accountability on the staff yourself, or notify of
the risks involved and make management accountable and preferably that
in writing, or you can end up accountable if (when?) this all goes
sideways.

There are various means to establish dedicated logins, whether via
dedicated ssh sessions with passphrases and certificates, or SYSALF, or
user-issued logins, or other means of controlling access.

Details and options vary by requirements.

Configurations with shared credentials tend to end badly.
--
Pure Personal Opinion | HoffmanLabs LLC
Chris Townley
2021-01-09 00:11:22 UTC
Permalink
Post by Stephen Hoffman
Post by Chris Townley
It was more of a hypothetical, historical thing. I had thought of
piping the output from SDA, but I thought there might be any easier
way. Not as a means of sharing data, but identifying what a process
was - too many shared usernames!
Shared usernames aren't a technical issue.
That's an accountability issue.
Who knows how far a shared password gets.
You can institute accountability on the staff yourself, or notify of the
risks involved and make management accountable and preferably that in
writing, or you can end up accountable if (when?) this all goes sideways.
There are various means to establish dedicated logins, whether via
dedicated ssh sessions with passphrases and certificates, or SYSALF, or
user-issued logins, or other means of controlling access.
Details and options vary by requirements.
Configurations with shared credentials tend to end badly.
All in the past, but we only allowed shared usernames in either totally
read only , or with updates authenticated and logged by other means. The
former had no password, and the second password was well known, but
without tyhe secondary credentials was read only. Worked for years!

Sadly now all in the past

Chris
Stephen Hoffman
2021-01-09 00:54:45 UTC
Permalink
Post by Chris Townley
All in the past,
Yet you're here, asking this, which implies this mess is seemingly
rather less in the past than might be preferred.
Post by Chris Townley
...but we only allowed shared usernames in either totally read only ,
or with updates authenticated and logged by other means.
The former had no password, and the second password was well known, but
without tyhe secondary credentials was read only. Worked for years!
Sadly now all in the past
Not the first time I've heard folks ask for logins to manage logins,
and not the first time—as has been done here—folks have implementing
per-user logins to manage shared logins.

Privileges to control privileges was another similarly classic request.
Fun fact: there's a means to grant a user SETPRV privilege, but where
that privilege is entirely unavailable for committing mayhem. But I
digress.

Generally, it's either best to either fix the shared login problem with
per-user logins issued, or to do what management seemingly wants done
here and ignore it.

Which means you'll prolly end up adding your own login mechanism into
SYLOGIN or the user's LOGIN, and preferably with the shared user marked
as CAPTIVE or RESTRICTED or it'll get bypassed. Create your own login.

It's been interesting watching how fast some these cases can get fixed
when management decides, too—more than a few of these cases go from
"impossible" or "never" or "infeasible" or "unaffordable" to "done",
once the issue is re-decided.

But in other cases, management was somewhere between oblivious or
overloaded or otherwise overwhelmed, and some management seemingly
enjoyed keeping IT staff into intractable and untenable situations.
Been there. Not Fun.
--
Pure Personal Opinion | HoffmanLabs LLC
Chris Townley
2021-01-09 01:15:50 UTC
Permalink
Post by Stephen Hoffman
Post by Chris Townley
All in the past,
Yet you're here, asking this, which implies this mess is seemingly
rather less in the past than might be preferred.
Post by Chris Townley
...but we only allowed shared usernames in either totally read only ,
or with updates authenticated and logged by other means.
The former had no password, and the second password was well known,
but without tyhe secondary credentials was read only. Worked for years!
Sadly now all in the past
Not the first time I've heard folks ask for logins to manage logins, and
not the first time—as has been done here—folks have implementing
per-user logins to manage shared logins.
Privileges to control privileges was another similarly classic request.
Fun fact: there's a means to grant a user SETPRV privilege, but where
that privilege is entirely unavailable for committing mayhem. But I
digress.
Generally, it's either best to either fix the shared login problem with
per-user logins issued, or to do what management seemingly wants done
here and ignore it.
Which means you'll prolly end up adding your own login mechanism into
SYLOGIN or the user's LOGIN, and preferably with the shared user marked
as CAPTIVE or RESTRICTED or it'll get bypassed. Create your own login.
It's been interesting watching how fast some these cases can get fixed
when management decides, too—more than a few of these cases go from
"impossible" or "never" or "infeasible" or "unaffordable" to "done",
once the issue is re-decided.
But in other cases, management was somewhere between oblivious or
overloaded or otherwise overwhelmed, and some management seemingly
enjoyed keeping IT staff into intractable and untenable situations. Been
there. Not Fun.
Totally not relevant now. The system was decommissioned in 2013, and the
company went into administration last May, and is now moribund.

Actually the solution was forced onto me by management,and I didn't
disagree with the reasoning. We already had a pretty good secondary
login, by clock number for our RDT users on FLT, or later with HHTs. I
simply extended this onto the captive generic accounts so that any
access for more than read only required secondary authorisation (note no
Z over here!)

It worked well, and avoided the productivity loss of multiple warehouse
users logging an out just to enter one document or whatever.

I would probably not do it again, but back in the early noughties many
non technical users struggled to get a password in within the timeout.

My only reason for asking was out of interest, as many years ago I could
have used it. I did reset the process name to include the clock number,
but that didn't always work.

Chris
Chris Townley
2021-01-09 01:19:31 UTC
Permalink
Post by Chris Townley
Post by Stephen Hoffman
Post by Chris Townley
All in the past,
Yet you're here, asking this, which implies this mess is seemingly
rather less in the past than might be preferred.
Post by Chris Townley
...but we only allowed shared usernames in either totally read only ,
or with updates authenticated and logged by other means.
The former had no password, and the second password was well known,
but without tyhe secondary credentials was read only. Worked for years!
Sadly now all in the past
Not the first time I've heard folks ask for logins to manage logins,
and not the first time—as has been done here—folks have implementing
per-user logins to manage shared logins.
Privileges to control privileges was another similarly classic
request. Fun fact: there's a means to grant a user SETPRV privilege,
but where that privilege is entirely unavailable for committing
mayhem. But I digress.
Generally, it's either best to either fix the shared login problem
with per-user logins issued, or to do what management seemingly wants
done here and ignore it.
Which means you'll prolly end up adding your own login mechanism into
SYLOGIN or the user's LOGIN, and preferably with the shared user
marked as CAPTIVE or RESTRICTED or it'll get bypassed. Create your own
login.
It's been interesting watching how fast some these cases can get fixed
when management decides, too—more than a few of these cases go from
"impossible" or "never" or "infeasible" or "unaffordable" to "done",
once the issue is re-decided.
But in other cases, management was somewhere between oblivious or
overloaded or otherwise overwhelmed, and some management seemingly
enjoyed keeping IT staff into intractable and untenable situations.
Been there. Not Fun.
Totally not relevant now. The system was decommissioned in 2013, and the
company went into administration last May, and is now moribund.
Actually the solution was forced onto me by management,and I didn't
disagree with the reasoning. We already had a pretty good secondary
login, by clock number for our RDT users on FLT, or later with HHTs. I
simply extended this onto the captive generic accounts so that any
access for more than read only required secondary authorisation (note no
Z over here!)
It worked well, and avoided the productivity loss of multiple warehouse
users logging an out just to enter one document or whatever.
I would probably not do it again, but back in the early noughties many
non technical users struggled to get a password in within the timeout.
My only reason for asking was out of interest, as many years ago I could
have used it. I did reset the process name to include the clock number,
but that didn't always work.
Chris
And as for privilege, although all users were captive, I reduced privs
significantly. I inherited, and improved a mechanism to use an installed
image to run any of the few command/programs that required elevated
priv. I was the only user that had SETPRV.

Chris
geze...@rlgsc.com
2021-01-09 01:19:39 UTC
Permalink
Post by Chris Townley
Just wondering - looking at job logicals, where the LNM table is similar
to LNM$JOB_81DC4940
I was wondering how to link a process to a particular table. Looking at
the the reference above, here 81DC4940, I could not see the connection
until I looked at SDA, where this is shown as the JIB address.
I cannot find this in f$getjpi (so presumably not in LIB$GETJPI or even
$GETJPI
Any thoughts on how to find/link this, or even what it is?
Chris
Chris,

One can find the actual translation of LNM$JOB in logical name table LNM$PROCESS_DIRECTORY.

Insofar as it is desirable to create a group LOGIN.COM, I covered the technique in "Group-wide LOGIN Profiles Lower Risk, Decrease Cost" at
http://www.rlgsc.com/blog/openvms-consultant/group-wide-login.html

It is a useful technique. I did several articles on specialty login techniques, see The OpenVMS Consultant home page on my site.

- Bob Gezelter, http://www.rlgsc.com
Chris Townley
2021-01-09 01:26:39 UTC
Permalink
Post by ***@rlgsc.com
Post by Chris Townley
Just wondering - looking at job logicals, where the LNM table is similar
to LNM$JOB_81DC4940
I was wondering how to link a process to a particular table. Looking at
the the reference above, here 81DC4940, I could not see the connection
until I looked at SDA, where this is shown as the JIB address.
I cannot find this in f$getjpi (so presumably not in LIB$GETJPI or even
$GETJPI
Any thoughts on how to find/link this, or even what it is?
Chris
Chris,
One can find the actual translation of LNM$JOB in logical name table LNM$PROCESS_DIRECTORY.
Insofar as it is desirable to create a group LOGIN.COM, I covered the technique in "Group-wide LOGIN Profiles Lower Risk, Decrease Cost" at
http://www.rlgsc.com/blog/openvms-consultant/group-wide-login.html
It is a useful technique. I did several articles on specialty login techniques, see The OpenVMS Consultant home page on my site.
- Bob Gezelter, http://www.rlgsc.com
Thanks, but not really what I was after - I was looking at how to access
the job logicals of a particular process.

If I needed to do this, I now would either get the login to write to a
sort of lock file it's job table name, or use the SDA to access the JIB,
not that Hoff would approve I daresay ;)

Chris

Loading...