On Mon, 14 Apr 2008 10:44:31 -0400, Gerhard Postpischil <[EMAIL PROTECTED]> wrote:
>Walt Farrell wrote: >> That would allow an authorized program to load a module from an otherwise >> unauthorized STEPLIB. It won't let you actually start running something as >> APF authorized, though. Getting something to start running authorized >> requires use of a function like IKJEFTSR, or TESTAUTH. > >While I haven't tried this under z/OS, I can assure you that it >works quite well under all earlier systems I used it on, from >MVS to OS/390. Then there's something else you're doing to get the programs running that you're not telling us about, Gerhard. Simply creating an authorized STEPLIB won't do it. There are only a handful of ways of getting a program to start running authorized, even if the module comes from an APF-authorized library. And using "address linkpgm" in REXX won't do it. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html