The difference is that TSO (and ISPF) runs in problem state and the jobstep is
unauthorized.
In batch, when executing a program linked AC(1) that comes from a valid APF
authorized library, then the entire jobstep is considered authorized.
TSO must jump through a few hoops to attempt to provide a safe way of invoking
the authorized program - this involves having a parallel authorized jobstep TMP
task and suspending all TCBs on the non-authorized "leg" while the authorized
code is executing.
Hence the various tables in TSO (and ISPF) to define these special circumstance
commands (or programs) that can run authorized.
Throw into the ring, the confusion that can occur with TSOLIB and ISPLLIB (and
STEPLIB) - it can get messy to code applications and debug problems in this
area - especially when your code is running on other people's systems.
Rob Scott
Lead Developer
Rocket Software
77 Fourth Avenue . Suite 100 . Waltham . MA 02451-1468 . USA
Tel: +1.781.684.2305
Email: rsc...@rs.com
Web: www.rocketsoftware.com
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
Of Leonardo Vaz
Sent: 04 March 2014 15:51
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: ISPF storage protection
True, I have never understood that either, gil.
It might more to do with executing the program in the appropriate TCB than a
security exposure.
Leo
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
Of Paul Gilmartin
Sent: Tuesday, March 04, 2014 10:25 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: ISPF storage protection
On Tue, 4 Mar 2014 08:54:43 -0500, Shmuel Metz (Seymour J.) wrote:
>In <9819019940159674.wa.paulgboulderaim....@listserv.ua.edu>, on
>03/03/2014
> at 06:14 PM, Paul Gilmartin <paulgboul...@aim.com> said:
>
>>I have no idea why APF authorized library and link edit with AC=1
>>alone don't suffice.
>
>Because it would be a major security breach.
>
That doesn't tell me much.
Why? How? Would it be any less a security breach to invoke such a program
from JCL with "EXEC PGM=..." which likewise causes it to run in the authorized
state?
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
