A linklist data set need not be authorized. If you specify LNKAUTH=APFTAB in IEASYSxx, then an application library would be authorized only if you created an APF entry for it. Assuming that SYS2.PRODLIB is not APF, then there is no more danger in linklisting it than allowing users to STEPLIB to it.
The exposure that my ancient Audit department focused on was devious code that could be slipped into production in some random library being STEPLIBed to in an individual job. Code like the legendary (fairytale?) case of diverting fractions of a cent from accounts payable into a private fund. Someone would have to vet the source code, of course, but at least there was an audit trail from source to production. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Lizette Koehler Sent: Tuesday, December 19, 2017 11:12 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Cobol upgrade 6.2 linklist So, my opinion Once a dataset is in the linkst - depending on how it is controlled - someone could put other code in there that is not system friendly. So I have dataset, MYHLQ.USER.LOADLIB in the linklist. Now it is apf authorized. I use a package like Changemen to deploy to it, but it does not know what should not go there. I use all valid naming conventions for the process. But the code could be something "special". So USERA decides to create a program with an assembler subroutine that can filter data in a database and send to an unknown site. Or set up other issues in the system. USERA has the authority to deploy to that dataset. But who is controlling the source to ensure it does not do bad things. Just my thought Lizette > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On Behalf Of R.S. > Sent: Tuesday, December 19, 2017 6:08 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Cobol upgrade 6.2 linklist > > What is the risk of putting COBOL-compiled code into LINKLIST? > Let's assume LNKAUTH=LNKLST. > Such code will not perform any authorized instructions. It can be > called from another AC=1 code, but the problem is the module, not the COBOL > code called. > What I'm missing? > > > -- > Radoslaw Skorupka > Lodz, Poland ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN