> The short answer is that any module loaded by an authorized program > must come from an authorized library.
I've been reading this post with interest since I've had to do a lot to deal with authorized services loading programs from unauthorized libraries. I have a utility that copies the joblib/steplib information and the load module information including its APF authorization from one address space and transmits the information via SRB to another which can load a copy of an unauthorized program (via IRB) from an unauthorized library into another address space for special testing. It uses the LOAD ADRNAPF which now also has an ADRNAPF64 parameter. Of course, this requires that the utility dynalloc the joblib/steplib in the IRB, open it, load, close it and unalloc it. It's a lot of code just to make a copy of a common program in another address space. The point being that an authorized program can load from an unauthorized library provided it has the code to manage it. It doesn't need to modify the APF setting for a library. Of course, the unauthorized program is still setup to be called unauthorized. This is done for special debugging functions used to isolate a common piece of code from other callers in other address spaces. Kenneth -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Gerhard Postpischil Sent: Thursday, December 19, 2013 12:57 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: APF authorization and JOBLIB DD card On 12/18/2013 7:58 PM, Blaicher, Christopher Y. wrote: > The short answer is that any module loaded by an authorized program > must come from an authorized library. Loaded modules don't have to be > authorized (AC=1), they just have to come from an authorized library. > Now it gets more complicated. I solved this problem a long time ago. First on OS/360 by having a special step account code, and on later (test) systems by having a utility program that authorizes the tasklib, then loads the needed program(s). RACF can keep it out of unwanted hands. It saves time and effort testing programs that need authorization, and it also has a ZAP function for testing. It's heavily modified code from Don Higgins that I found on the cbt tape, but I don't remember what he called it; his version only has the ZAP capability. The added code is: SPACE 1 APFSET ICM R7,15,TCBJLB TEST STEPLIB PRESENCE BZ APFQUIT NO STEPLIB USING IHADCB,R7 DECLARE IT L R7,DCBDEBAD LOAD DEB FOR STEPLIB N R7,=X'00FFFFFF' FIX HIGH BYTE USING DEBBASIC,R7 OI DEBFLGS1,DEBAPFIN TURN ON APF LIBRARY BIT Gerhard Postpischil Bradford, Vermont ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN