Yes Ed, these sites all had RACF installed and yes, it still required the VTOC "data set is RACF protected bit" to be flipped for the data set protection call to even be made. The needed resource manager calls became more apparent as the resources which were being protected grew. The ACF2 "protectall" vs RACF "protectnone" philosophy soon became the guiding light to making RACF actually usable as a security system by also implementing "protectall".
However APF authorization still allows the keys to the kingdom with no trace for the clever programmer. And vendor PC calls are now the new point of entry for system penetration attempts since they have all but replaced most of the user written SVC's. The landscape changes but the dirt is still the same. The new hacker's lament might be "so many entry points to choose from and so little time to play". Vigilance and automation in security checking are the keys to catching the silly things but the "clever programmer" still must have the integrity and character to NOT do what they have both the ability and opportunity to do. Quis custodiet ipsos custodes ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
