On 7/24/2013 7:17 PM, Paul Gilmartin wrote:
As of 1.13, IEB[C]OPY is AC=0. (But there is an AC=1 version kept for
those who feel they need it (why?).) IEWL (IEWBLINK) is AC=0. AMASPZAP
is AC=01 (why?)
AMASPZAP needs AC=1 to zap disk labels. It can be safely called in an
unauthorized environment to perform the traditional function of zapping
load modules and program objects. AMASPZAP is not an impediment to an
unauthorized SMP/E.
I believe that as of z/OS 1.13 *none* of the programs invoked by SMP/E
require authorization. But, as you pointed out in an earlier post, SMP/E
itself uses "Wait for DSNAME" in dynamic allocation, which does require
authorization. That's a minor and rarely-needed feature but, if it's
important to someone, I believe it would not be very difficult to
provide this capability in a way that does not require SMP/E to be
authorized.
Of course any program that runs AC=1 assumes the responsibility of
performing its own SAF checking. I believe this is true also for any
program linked AC=0 into an APF authorized library where it may be
attached by an AC=1 program.
I think the real problem is the fact that SMPE somehow "abuses" APF to
bypass normal security checks for some of its processing. Until IBM decides
to correct that (removing APF seems like it would be effective but also
seems like overkill), an equitable solution that addresses the needs of both
sysprogs and non-sysprogs is likely to be elusive.
Why "overkill"? If it's unnecessary, it's safer and more useful without it.
"abuses"? It's possible. It's possible that development added a new
function and hadn't the resources to code the necessary SAF checks.
It's even possible that some specified function of SMP/E requires
bypassing normal security checks, although that seems highly unlikely.
SMP/E is not a self-contained, APF authorized program. It invokes
various utilities (in fact, any program you choose!) that were *never*
intended to run authorized and therein lies the problem.
You cannot change the rules of MVS to require that every unauthorized
program residing in an authorized library follow the rules for
authorized programs on the off-chance that one of them might one day be
invoked by SMP/E in an authorized environment. That would be lunacy.
--
Edward E Jaffe
Phoenix Software International, Inc
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN