On Wed, 7 Apr 2010 18:36:15 -0400, Don Williams <donb...@gmail.com> wrote:
>APF authorization or superuser authority is the keys to kingdom. Any program >granted those privileges must be very carefully designed, written, and >tested, and tested, and .... with paranoia. If there were granular types of >authorization, it seems that you to should be able only grant a program the >authority it needs to get its job done. Of course, it could too granular so >that you're spending all your time trying to figure out what needs to be >granted. However, somewhere between those two extremes there is bound to be >a good compromise. Pinch me, I must be dreaming. It seems to be true that there are selected functions (or sub-functions) that it would be safe to allow in some way other than by granting full APF authorization. However, in the research we did it was not clear how to grant them to programs, rather than to the users running those programs. Nor was it clear: (a) how to do so in a way that did not impose undue administrative burdens; (b) how to allow vendors to describe to system administrators which granular authorities their programs would need; (c) How to allow the administrators to discover which granular authorities any particular program might need. Additionally, it is not clear whether the set of functions/sub-functions for which we could allow granular authorization is large enough to actually allow removal of AC(1) from a significant number of programs. The real issue, I believe, is that there is a (so far) relatively small set of functions amenable to granular authorization and a much larger set of functions for which usage, even if authorized in a granular manner, could allow privilege escalation and eventual acquisition of full authorization. So at the moment and for the foreseeable future it must remain only a nice dream, I'm afraid. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
