On Sat, 13 Jun 2020 23:32:02 -0400, Bob Bridges <robhbrid...@gmail.com> wrote:
>Gil, you mustn't think I plan to make it a habit but I think I'm going to >disagree with you on every point, here: > >o Well, maybe not on the first one: What's "TOCTTOU"? Time Of Check To Time Of Use. As you're making the check, a security administrator might be changing the rules. Your program might end up getting a false positive or false negative. > >o Access rules are indeed complicated to simulate. But why simulate them? >Just > ask RACROUTE and get an answer. Mind you a) I'm a security geek, so maybe > the > rules seem less complicated to me. And b) I've never used RACROUTE directly; > as a security geek I talk to RACF/ACF2/TSS through their TSO-level commands, > so maybe RACROUTE is more difficult. The rules for properly issuing RACROUTE REQUEST=AUTH are what is complicated. Ignoring resources other than MVS data sets, you need to process differently for non-VSAM vs VSAM. For either, you need to first check whether the data set is indicated as possibly having a discrete profile. For non-VSAM, that means reading the DSCB from the VTOC. For VSAM, it means reading the (if I remember correctly) Sphere record from the proper catalog (which you also have to figure out) to determine the cluster name. Then you need to read the RACF indicator from the catalog entry for the cluster name (not the component name you may be opening). Then, for VSAM, you need to specify the cluster name (not the component name that may appear in the JCL). Failure to do any of those properly will give you a potentially wrong answer, or an answer that is right in many cases but wrong in edge cases. Then, there is the difficulty that if your program is not the one that will actually do the OPEN, you may simply get the wrong answer because RACF allows access rules like "user X can use data set Y but only when running program Z". If you are not part of program Z, the answer you get from the RACROUTE will differ from the answer that Z would get if it actually performed the OPEN. So, you might get the wrong answer, and again it might be a false positive or a false negative. Also, if your program is not running authorized, or (more precisely) does not actually require authorization, there are ways a clever user can bypass the check you're doing if your program is running in an environment they can control, such as TSO or batch or a UNIX shell. There are additional considerations if you are asking about the authority of a user other than the one you're running under. It is much simpler, and safer, and in general more robust, to simply issue the OPEN in the proper program environment and let the system say Yes or No. -- Walt (former member of the RACF Design/Development team) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
