Thanks to everyone for replying, I would never realised you had to flip JSCBAUTH from the macro documentation. The actual business requirement is that we run Rexx execs that call ISPF services on behalf of workstation users running an IDE. The STC doing this must run authorised because it communicates with a comms task via cross-memory services. So we will have control over what gets executed. This is still very much an experiment, I am not sure it will actually work.
Thanks Robin -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Binyamin Dissen Sent: 15 May 2017 20:56 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: ATTACH with RSAPF=YES Well, if you want to run unauthorized stuff you would first need to set your job as non-APF by resetting the bit. Of course, your authorized key8 storage will be subject to change by the unauthorized task, thus your authorized code must not use Key8 storage. (1) and (2) are not exclusive, as your authorized task would need to remain in supervisor state after resetting APF (assuming you still need APF services). If you no longer need APF services, simply reset APF do MODESET PROB and the garden variety ATTACH(X) Why do you want to run unauthorized code from this STC? What is the business case? On Mon, 15 May 2017 15:18:38 +0700 Robin Atwood <abend...@gmail.com> wrote: :>We have a requirement to attach user modules from an unauthorised library :>and execute them from an STC which :> :>runs APF authorised. Calling ATTACH with RSAPF=YES seems to do exactly what :>I want but every time I try it :> :>I get abend S306-0C, "authorised program attaching module from an :>unauthorized library". The ATTACH macro :> :>description states: :> :> :> :>RSAPF=YES when these conditions are met: :> :>. The caller is running in supervisor state, system key (0-7), :>or both :> :>. The caller is running non-APF authorized :> :>. The subtask is attached in the problem program state and with :>a nonsystem key. :> :> :> :>Conditions 1 and 2 seem mutually exclusive. I tried coding MODESET MODE=SUP :>and adding SM=PROB,KEY=PROP :> :>to the ATTACH but it made no difference. I seem to be missing something :>fairly massive here! Can anyone shed :> :>some light on this? :> :> :> :>Thanks :> :>Robin :> :> :>---------------------------------------------------------------------- :>For IBM-MAIN subscribe / signoff / archive access instructions, :>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Binyamin Dissen <bdis...@dissensoftware.com> http://www.dissensoftware.com Director, Dissen Software, Bar & Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN