On Jun 20, 2005, at 5:55 AM, Gil Peleg wrote:
Ed,
What I meant was that in many shops there are a lot of users who have
implicit access to APF-authorized data sets. And if they wished to
compromise the system they would be able to do so, even though they
were
never explicitly authorized to run their own written APF-authorized
programs. There are many potential ways to do this, if the shop is not
properly secured. I could give some common examples from my
experience, but
I believe you understand what I mean. A lot of the times they users a
not
aware to what they are actually capable (some shops even rely on that
fact).
I did not intend in any way to imply that it is common or that even I
have
ever seen it happen that someone was able to become APF authorized
because
of a flaw in the MVS mechanisms. Unlike some other operating systems
where
it is common, and I have seen it happen :)
Gil.
-------------SNIP--------------------
Gil,
While some of this is true there are others that really restrict access
to APF libraries. I can't speak for all but I think its a mixed bag.
I think the "key" issue is write access which I would suspect that this
number is small(er) number of installations.
Read is probably most installations. Usually the most abused is
products. They do not really split out APF and APF programs so the
entire library must be let out in the wild.
There are all sorts of vendors (I think CA is one of them but there are
lots of others). that don't make any differentation as to usage. The
vendors (and auditors) need to clean their acts up a LOT in this area.
Ed
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
