On Wed, 28 May 2014 08:19:28 -0400, Peter Relson wrote: >Ed Jaffe is fully correct about AC=1. Never mark something AC=1 unless you >need it to be the target of EXEC PGM= (or its z/OS Unix analog). >Since SYS1.LINKLIB is considered APF-authorized, all modules in it are >available to an authorized requestor (there is no "mixing'). What >SYS1.LINKLIB "mixes" (as it should) is AC=1 modules with non-AC=1 modules. > The hazard arises when an "authorized requestor" is allowed to ATTACH an AC=0 module which was never designed to run in the authorized state and does not do suitable SAF checking. This hazard is greatly multiplied when a programmer is allowed to specify in a utilities configuration file an arbitrary AC=0 module which will be so ATTACHed and to control the parameters and input to that module. Requiring that the programmer have specific RACF authority to run the parent program is an inadequate approach, particularly when IBM does not clearly document the hazard as guidance for programmers granted such authorization.
We've had this discussion before. Although, IIRC, you've denied it, it *is* "security by obscurity" not to inform properly authorized programmers out of phobia that the information may facilitate exploitation of systems that have not installed the (now four years old) security PTFs. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN