Just to expand on Walt's statement "There are only a handful of ways of getting a program to start running authorized, even if the module comes from an APF-authorized library" append "that don't violate system integrity." Sure, there are numerous ways to make this work, but most of them have the side-effect that they leave the system in a compromised state. In a small development system this loss of integrity may be acceptable, but for production, or even larger development or test systems, this would not be.
Wayne Driscoll Product Developer NOTE: All opinions are strictly my own. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Walt Farrell Sent: Tuesday, April 15, 2008 9:03 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function On Mon, 14 Apr 2008 10:44:31 -0400, Gerhard Postpischil <[EMAIL PROTECTED]> wrote: >Walt Farrell wrote: >> That would allow an authorized program to load a module from an otherwise >> unauthorized STEPLIB. It won't let you actually start running something as >> APF authorized, though. Getting something to start running authorized >> requires use of a function like IKJEFTSR, or TESTAUTH. > >While I haven't tried this under z/OS, I can assure you that it >works quite well under all earlier systems I used it on, from >MVS to OS/390. Then there's something else you're doing to get the programs running that you're not telling us about, Gerhard. Simply creating an authorized STEPLIB won't do it. There are only a handful of ways of getting a program to start running authorized, even if the module comes from an APF-authorized library. And using "address linkpgm" in REXX won't do it. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html