Thank for confirming that we have to look at all programs in APF libraries, not just the AC=1 ones.
-----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Wayne Driscoll Sent: Thursday, July 30, 2009 10:28 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Of link lists and application programs That is correct. A job step task is authorized (via the JSCBAUTH bit being set in the JSCB) during initiation by the operating system if (and only if) the following occur: 1 - All libraries in the TASKLIB or STEPLIB/JOBLIB concatenation are APF authorized. 2 - The program that is being initiated was link edited with AC=1. Once the job step task is authorized, it will remain authorized unless if it makes itself unauthorized. Because of this, ALL programs loaded by this job step task MUST come from an APF authorized library, regardless of the AC value when they are linked. However, any attempt to load a program from an unauthorized library will fail with system abend 306. The only time that I am certain that the system looks at the AC value from the linkage editor (bindor) is when initiating a Job Step TCB. All other usages of ATTACH and all usages of LINK, LOAD and XCTL don't look, don't care. However, I will STRONGLY advise that ONLY programs designed to be run as job step tasks (ie main programs) should be linked with AC=1 because if a module that is designed to run as a subprogram gets linked with AC=1 it could be possible that running this program as a job step task could compromise system integrity. =============================================== Wayne Driscoll OMEGAMON DB2 L3 Support/Development wdrisco(AT)us.ibm.com =============================================== Chris Nelson <chris.nelson.b...@statefarm.com> Sent by: IBM Mainframe Discussion List <IBM-MAIN@bama.ua.edu> 07/30/2009 09:45 AM Please respond to IBM Mainframe Discussion List <IBM-MAIN@bama.ua.edu> To IBM-MAIN@bama.ua.edu cc Subject Re: Of link lists and application programs >From what I have read in documentation, it seems to me that even a module linked AC=0 is still authorized if LINK/XCTLed from an authorized library by a program that is AC=1 (or greater). So any program in a Library that is APF authorized can potentially be running authorized, not just the modules with AC=1 (or greater) Did I read or understand that documentation wrong? -----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Frank Swarbrick Sent: Wednesday, July 29, 2009 6:25 PM To: IBM-MAIN@bama.ua.edu Subject: Re: Of link lists and application programs If necessary, is there a way to inhibit unauthorized individuals from linking with AC=1, even when linking in to an authorized library? -- Frank Swarbrick Applications Architect - Mainframe Applications Development FirstBank Data Corporation Lakewood, CO USA P: 303-235-1403 F: 303-235-2075 On 7/29/2009 at 4:34 PM, in message <166284787-1248906882-cardhu_decombobulator_blackberry.rim.net-198947840 6...@bxe12 7.bisx.prod.on.blackberry>, Ted MacNEIL <eamacn...@yahoo.ca> wrote: >> It sounds like we need to use LNKAUTH=APFTAB instead of the default >> of > LNKAUTH=LNKLST so that our APPL libraries will not be APF authorized > when accessed via the LNKLST concatentation (or via a STEPLIB/JOBLIB > for that matter). We certainly would not want this. > > There are two criteria for a programme to be APF'd. > 1. The library > 2. Link with AC=1 > > - > Too busy driving to stop for gas! > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html >>> The information contained in this electronic communication and any document attached hereto or transmitted herewith is confidential and intended for the exclusive use of the individual or entity named above. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any examination, use, dissemination, distribution or copying of this communication or any part thereof is strictly prohibited. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy this communication. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html