On Sat, 13 Jun 2020 23:32:02 -0400, Bob Bridges wrote: > >o Well, maybe not on the first one: What's "TOCTTOU"? > GIYF. It's my habit to verify initialisms before I use them.
>o Access rules are indeed complicated to simulate. > ... >o Of course the rules are subject to change. I can't see that that makes any > difference, makes it any less handy to know what the rules are. If he takes > your advice (just try the access and report the failure), the rule may > ~still~ > change; so what? > I'm thinking not of merely rule changes, but major structural changes. Do David's suggested Assembler and Rexx programs, LISTDSD, and CBT file 106 work alike for Classic data sets and for //SYSUT1 DD PATH=...? Did they work immediately when OMVS was introduced? (I've read that one of the ISV security products rapidly accommodated OMVS paths, but with the restriction that pathnames were limited to 44 characters(?!) and treated as case- insensitive.) >o I've never had occasion to try in it TSS or ACF2 - being a security jock, I > always ~have~ the elevated privileges, so I'm generally unaware of how they > behave for hoi polloi - but I know that it's possible even for regular folks > to use the RACF commands to determine whether they have read access to a > dataset. I don't know about update. > A security jock should treat an access query with a negative reply as a violation as serious as attempting the access and failing. In particular, a programmer scanning the catalog and querying access to every data set should be deemed a (fe)malefactor. There might be reason to protect querying access more strictly than actually attempting the access. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
