If I use an SVC, is this true? If the SVC does something or returns some information that needs to be protected, then I need to use RACF to decide who can call it or who cannot? And everyone said not to use a magic SVC, and I get that. But if that SVC is also protected by RACF, is it at all a viable solution?
Lindy -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Rob Scott Sent: Tuesday, April 15, 2008 7:29 PM To: [email protected] Subject: Re: Authorized Rexx Assembler Function > Call an SVC that flips the JSCBAUTH bit back on. This is non-standard. If > it is to be implemented even on a development system then added security > needs to be built in to make sure it isn't misused. Do NOT go there. It will bite you in the a** - maybe not today - but someday. Your real options depend on whether you have a server address space or not : (a) You have a server address space Use PC-ss to execute auth function or to request server collect data on your behalf. (b) You do not have a server address space Use IKJEFTSR (daylight) Use SVC Rob Scott Rocket Software, Inc 275 Grove Street Newton, MA 02466 617-614-2305 [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Lindy Mayfield Sent: 15 April 2008 17:19 To: [email protected] Subject: Re: Authorized Rexx Assembler Function For completeness, since I started this whole, ah, thing, I'm curious what they are. Here are the techniques I've learned so far, including the one that violates system integrity: __ The standard acceptable method is to call TSO/E Service Facility, IKJEFTSR and pass it the name of an authorized module. __ Call an SVC that flips the JSCBAUTH bit back on. This is non-standard. If it is to be implemented even on a development system then added security needs to be built in to make sure it isn't misused. __ Simply put all the authorized stuff into an SVC or PC routine. That's all I've collected so far. Are there more ways? Lindy -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Wayne Driscoll Sent: 15. huhtikuuta 2008 17:49 To: [email protected] Subject: Re: Authorized Rexx Assembler Function Just to expand on Walt's statement "There are only a handful of ways of getting a program to start running authorized, even if the module comes from an APF-authorized library" append "that don't violate system integrity." Sure, there are numerous ways to make this work, but most of them have the side-effect that they leave the system in a compromised state. In a small development system this loss of integrity may be acceptable, but for production, or even larger development or test systems, this would not be. Wayne Driscoll Product Developer NOTE: All opinions are strictly my own. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
