A few points: 1. As Peter Relson has noted, the shared storage should not be in CSA/ECSA. f 2. If, e.g., an ISV, does it on their own, the code is likely to be tied to their own needs.
3. The best option if there is a business is for IBM to do it. 4. If an RFE would take too long, then ther best option is an open source project. 5. Is corporate sponsorship for such a project likely? -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Assembler List [ASSEMBLER-LIST@LISTSERV.UGA.EDU] on behalf of Farley, Peter x23353 [00000dc9d8785c29-dmarc-requ...@listserv.uga.edu] Sent: Tuesday, December 7, 2021 3:00 PM To: ASSEMBLER-LIST@LISTSERV.UGA.EDU Subject: Re: Is it possible to update CSA from an unauthorized user-key program? Charles, That is exactly the sort of thing I was imagining/hoping for. And putting it on CBT for all to use would be a great solution. But not just "a nice macro to front-end the PC" -- an LE-enabled prewritten subroutine which uses the "nice macro" that any HLL can call without substantial effort, or any shop can update to meet its particular needs. My rant was based in part on the lack of any substantial practical example of STC + PC interface code from any available source. Similarly for a PC that schedules an SRB in a client address space and other complex solutions to application needs. Many knowledgeable posters here and on IBM-MAIN have talked about the details of doing such things but no one has ever provided a complete example that works out of the box (after appropriate SAF authorizations are done of course). Coding such beasts with really good RAS and security is not for the faint-hearted, I do realize that it is a substantial and non-trivial effort. But the benefit would be wide and long-lasting. Why not instead of just CBT (or in addition to) a git / github open-source community effort, perhaps using the auspices of the open mainframe project? Share the effort, share the results. Peter -----Original Message----- From: IBM Mainframe Assembler List <ASSEMBLER-LIST@LISTSERV.UGA.EDU> On Behalf Of Charles Mills Sent: Tuesday, December 7, 2021 2:32 PM To: ASSEMBLER-LIST@LISTSERV.UGA.EDU Subject: Re: Is it possible to update CSA from an unauthorized user-key program? I have been composing a post on this topic. It would seem to be a reasonable ISV (or CBT, from some kind-hearted soul) task to provide an STC that would allocate a chunk of memory -- no need for it to actually be CSA; could be private to the STC -- and allow PC-based access to it (with a nice macro to front-end the PC) and validation based on a RACF class. READ access would let you read some named subset of the storage; ALTER access would let you allocate and write it (or some such scheme -- this is based on 5 minutes of design work). Would performance be a problem with the RACF calls? Possibly -- an application would want to "cache" and "bunch up" its accesses. One advantage of a CBT solution is that it would be "open source" and anyone could verify the security of its approach. Of course, even better, IBM could write this into the OS. <g> Charles -----Original Message----- From: IBM Mainframe Assembler List [mailto:ASSEMBLER-LIST@LISTSERV.UGA.EDU] On Behalf Of Gary Weinhold Sent: Tuesday, December 7, 2021 9:58 AM To: ASSEMBLER-LIST@LISTSERV.UGA.EDU Subject: Re: Is it possible to update CSA from an unauthorized user-key program? That's a legitimate complaint. We are an ISV and actually have a product that would meet his requirements; the problem is that it does quite a bit more, so it's probably not cost-effective for the OPs purposes. And considering the cost in time, money, software and hardware of meeting the security requirements of some commercial mainframe environments, I suspect most ISVs would not see a sufficient market to provide a narrower solution at an acceptable cost to potential customers. On 2021-12-07 12:20 a.m., Farley, Peter x23353 wrote: > </rant> > I don't know about anyone else, but I am really getting tired of these > continuous calls from supposedly knowledgeable people to "invent your own PC > or SVC to protect your global shared storage application solution and don’t > trust anyone or anything and if you do this your integrity is your own > problem not ours". > > Why hasn't IBM or even some clever ISV supplied a pre-packaged, > integral-part-of-the-operating-system solution to safely share and update > global storage any way an application designer can imagine and easily usable > from normal HLL application programs? Protected by standardized SAF security > calls and all that is needed for real integrity. Why do we have to "roll our > own" and "own the loss of integrity if you screw it up"? Why can't those who > know more than we do provide the solution? This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.