John Chase wrote: > The original question just got posed on the CICS-L, with some additional > information that suggested the original way of extracting the > information was to issue an SVC that switched CICS to authorized state, > issued the RACROUTE and (hopefully) returned CICS to unauthorized state. > Apparently something "new" in CICS TS 3.1 "catches" that switch > (sometimes) and abends the program. > > I've suggested there that they recode their SVC to issue the RACROUTE > from within the SVC and return the results to the program via the > "normal" return from the SVC.
Their existing approach is a definite integrity hole! No ifs, buts or maybes. The only correct way to perform a function such as this on behalf of an unauthorized caller is to encapsulate that function within an appropriately authorized environment and the only reasonable choices are PC and SVC. But while I'm on that soap box, obtaining some other user's credentials is an authorized function because only a properly authorized resource manager has any right to access them. John Q. certainly does not and providing a wrapper for a function that will do so is just as much a security violation as writing the password on a sticky note next to the terminal. People have to remember that any code they write and install in the system can also be called (often creatively) by "black hats". Just because you wrote it for CICS doesn't mean some ingenious twerp can't fool it into doing something "bad" from some other more user-friendly environment like TSO. (Blech... did I just use "user friendly" and TSO in the same sentence? Must be getting old) CC ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
