Possible is in the eye of the coder.  Most everything "can" be done.
Whether it is a good idea or not is another discussion ( i.e. Walt's
comment ).

I can break MVS integrity, security etc etc.  Just look at
www.krisecurity.com for examples found on how to break integrity.  There
are loads of ways to do it.

I can't help but agree with Walt that without very careful consideration,
dynamic STEPLIBs might be a terrible thing.

Rob

On Fri, Sep 22, 2017 at 4:11 PM Blaicher, Christopher Y. <
cblaic...@syncsort.com> wrote:

> I think you are a little off.  A static concatenation cannot result in a
> mix of authorized and unauthorized libraries and the program running
> authorized.
>
> Contents supervisor, when it goes to load the first module from EXEC PGM=
> checks the JOBLIB or STEPLIB for all libraries to be authorized, else the
> program while still being loaded will not run authorized.  If the program
> is being loaded from the LINKLST, it checks that the library it is being
> loaded from is authorized, otherwise it once again runs as unauthorized.
>
> If at some later point a load of a module from a library in the LINKLST
> that is not authorized, or a directed LOAD/LINK/ATTACH/XCTL with a
> non-authorized library specified, will result in an ABEND.
>
> I hope the writers of the STEPLIB concatenation routine were through
> enough to check the current authorization status of the job step and, if it
> is running authorized, validated that the library being added is also
> authorized.  Otherwise the concatenation should fail.
>
> If your shop has this function, I would verify that you cannot add an
> unauthorized library to a STEPLIB or JOBLIB.  If you can, you have just
> left a hole the size of the Lincoln Tunnel in your system.
>
> Chris Blaicher
> Technical Architect
> Mainframe Development
> P: 201-930-8234 <(201)%20930-8234>  |  M: 512-627-3803 <(512)%20627-3803>
> E: cblaic...@syncsort.com
>
> Syncsort Incorporated
> 2 Blue Hill Plaza #1563
> Pearl River, NY 10965
> www.syncsort.com
>
> Data quality leader Trillium Software is now a part of Syncsort.
>
> -----Original Message-----
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of David W Noon
> Sent: Friday, September 22, 2017 3:53 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Dynamic Steplib and z/OS 2.3?
>
> On Fri, 22 Sep 2017 13:14:52 -0500, Walt Farrell
> (walt.farr...@gmail.com) wrote about "Re: Dynamic Steplib and z/OS 2.3?"
> (in <4974758334821366.wa.walt.farrellgmail....@listserv.ua.edu>):
>
> > On Fri, 22 Sep 2017 10:40:59 -0500, Paul Gilmartin <paulgboul...@aim.com>
> wrote:
> >
> >> Dynamic STEPLIB has been discussed in these fora so often that I
> >> suspect it's the subject of numerous RFEs.  I suspect there are
> >> technical reasons that IBM has not rushed to provide the function.
> >> Is the design of OS/360 such that any dynamic STEPLIB would be
> >> incomplete or have unintended consequences?
> >
> > Any dynamic STEPLIB functionality introduces potential System
> > Integrity> exposures, because some parts (modules) of a program may
> > have been
> loaded> from one library and others from a different, incompatible library.
> Such an exposure can just as easily occur from a static concatenation for
> STEPLIB/JOBLIB, so allowing dynamic allocation is not a significant
> increase in such exposure.
>
> It is up to the site's programmers to ensure that the load libraries in
> use in a job step are mutually compatible.
> --
> Regards,
>
> Dave  [RLU #314465]
> *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
> david.w.n...@googlemail.com (David W Noon)
> *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
>
>
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> ________________________________
>
>
>
> ATTENTION: -----
>
> The information contained in this message (including any files transmitted
> with this message) may contain proprietary, trade secret or other
> confidential and/or legally privileged information. Any pricing information
> contained in this message or in any files transmitted with this message is
> always confidential and cannot be shared with any third parties without
> prior written approval from Syncsort. This message is intended to be read
> only by the individual or entity to whom it is addressed or by their
> designee. If the reader of this message is not the intended recipient, you
> are on notice that any use, disclosure, copying or distribution of this
> message, in any form, is strictly prohibited. If you have received this
> message in error, please immediately notify the sender and/or Syncsort and
> destroy all copies of this message in your possession, custody or control.
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 

Rob Schramm

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to