Possible is in the eye of the coder. Most everything "can" be done. Whether it is a good idea or not is another discussion ( i.e. Walt's comment ).
I can break MVS integrity, security etc etc. Just look at www.krisecurity.com for examples found on how to break integrity. There are loads of ways to do it. I can't help but agree with Walt that without very careful consideration, dynamic STEPLIBs might be a terrible thing. Rob On Fri, Sep 22, 2017 at 4:11 PM Blaicher, Christopher Y. < cblaic...@syncsort.com> wrote: > I think you are a little off. A static concatenation cannot result in a > mix of authorized and unauthorized libraries and the program running > authorized. > > Contents supervisor, when it goes to load the first module from EXEC PGM= > checks the JOBLIB or STEPLIB for all libraries to be authorized, else the > program while still being loaded will not run authorized. If the program > is being loaded from the LINKLST, it checks that the library it is being > loaded from is authorized, otherwise it once again runs as unauthorized. > > If at some later point a load of a module from a library in the LINKLST > that is not authorized, or a directed LOAD/LINK/ATTACH/XCTL with a > non-authorized library specified, will result in an ABEND. > > I hope the writers of the STEPLIB concatenation routine were through > enough to check the current authorization status of the job step and, if it > is running authorized, validated that the library being added is also > authorized. Otherwise the concatenation should fail. > > If your shop has this function, I would verify that you cannot add an > unauthorized library to a STEPLIB or JOBLIB. If you can, you have just > left a hole the size of the Lincoln Tunnel in your system. > > Chris Blaicher > Technical Architect > Mainframe Development > P: 201-930-8234 <(201)%20930-8234> | M: 512-627-3803 <(512)%20627-3803> > E: cblaic...@syncsort.com > > Syncsort Incorporated > 2 Blue Hill Plaza #1563 > Pearl River, NY 10965 > www.syncsort.com > > Data quality leader Trillium Software is now a part of Syncsort. > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of David W Noon > Sent: Friday, September 22, 2017 3:53 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Dynamic Steplib and z/OS 2.3? > > On Fri, 22 Sep 2017 13:14:52 -0500, Walt Farrell > (walt.farr...@gmail.com) wrote about "Re: Dynamic Steplib and z/OS 2.3?" > (in <4974758334821366.wa.walt.farrellgmail....@listserv.ua.edu>): > > > On Fri, 22 Sep 2017 10:40:59 -0500, Paul Gilmartin <paulgboul...@aim.com> > wrote: > > > >> Dynamic STEPLIB has been discussed in these fora so often that I > >> suspect it's the subject of numerous RFEs. I suspect there are > >> technical reasons that IBM has not rushed to provide the function. > >> Is the design of OS/360 such that any dynamic STEPLIB would be > >> incomplete or have unintended consequences? > > > > Any dynamic STEPLIB functionality introduces potential System > > Integrity> exposures, because some parts (modules) of a program may > > have been > loaded> from one library and others from a different, incompatible library. > Such an exposure can just as easily occur from a static concatenation for > STEPLIB/JOBLIB, so allowing dynamic allocation is not a significant > increase in such exposure. > > It is up to the site's programmers to ensure that the load libraries in > use in a job step are mutually compatible. > -- > Regards, > > Dave [RLU #314465] > *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* > david.w.n...@googlemail.com (David W Noon) > *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ________________________________ > > > > ATTENTION: ----- > > The information contained in this message (including any files transmitted > with this message) may contain proprietary, trade secret or other > confidential and/or legally privileged information. Any pricing information > contained in this message or in any files transmitted with this message is > always confidential and cannot be shared with any third parties without > prior written approval from Syncsort. This message is intended to be read > only by the individual or entity to whom it is addressed or by their > designee. If the reader of this message is not the intended recipient, you > are on notice that any use, disclosure, copying or distribution of this > message, in any form, is strictly prohibited. If you have received this > message in error, please immediately notify the sender and/or Syncsort and > destroy all copies of this message in your possession, custody or control. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Rob Schramm ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
