Ricc, Yes, APF authorization still allows the keys to the kingdom. That is why installations are expected to severely limit update access to APF authorized load libraries, the SETPROG MVS command, all datasets in the PARMLIB concatenation and all libraries defined as system level PROCLIBS. If a general user has write auth to an APF authorized dataset, your system, by definition, is unsecure. That is why IBM and ISV's provide integrity statements and take seriously all reports of integrity holes. This is also why IBM refuses to provide any sort of details on integrity APAR's, so that shops without the appropriate PTF's applied are less likely to be compromised.
=============================================== Wayne Driscoll OMEGAMON DB2 L3 Support/Development wdrisco(AT)us.ibm.com =============================================== From: Ricc Harding <ricc.hard...@gmail.com> To: IBM-MAIN@bama.ua.edu Date: 10/14/2010 12:10 PM Subject: Re: Mainframe hacking? Sent by: IBM Mainframe Discussion List <IBM-MAIN@bama.ua.edu> Yes Ed, these sites all had RACF installed and yes, it still required the VTOC "data set is RACF protected bit" to be flipped for the data set protection call to even be made. The needed resource manager calls became more apparent as the resources which were being protected grew. The ACF2 "protectall" vs RACF "protectnone" philosophy soon became the guiding light to making RACF actually usable as a security system by also implementing "protectall". However APF authorization still allows the keys to the kingdom with no trace for the clever programmer. And vendor PC calls are now the new point of entry for system penetration attempts since they have all but replaced most of the user written SVC's. The landscape changes but the dirt is still the same. The new hacker's lament might be "so many entry points to choose from and so little time to play". Vigilance and automation in security checking are the keys to catching the silly things but the "clever programmer" still must have the integrity and character to NOT do what they have both the ability and opportunity to do. Quis custodiet ipsos custodes ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html