Let me put on my security preacher hat for a moment. Yes, what Eileen says is a fact: there is no z/OS "enforcement" of RENT unless the program is from an APF library. You can easily get surprised by "where did that S0C4 come from?"
But that is not the big issue. If you are getting "surprised" by "oh gosh, look at that, it's getting loaded from an APF library" then you do not have proper controls over what is probably THE most critical aspect of mainframe integrity, and as Barry Schrager observed at the dawn of mainframe security, without integrity there is no security. APF libraries are the keys to the kingdom. If I worked for you, and I were a malicious programmer, and I observed that if I did X and Y and Z then my program would end up in an APF library without any management or security review, then I OWN your mainframe. An APF-authorized program can do ANYTHING. Ray Overby and others have demonstrated at SHARE that just a few lines of obscure binary in an authorized program can give the user RACF SPECIAL and/or OPERATIONS/PRIVILEGED with NO AUDIT TRAIL WHATSOEVER, and from there on out the sky is the limit. There are two pieces to APF authorization, AC=1 and the library. There are no controls over AC=1 -- any programmer can do it. It is up to you to control APF libraries rigorously. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Barkow, Eileen Sent: Friday, July 6, 2018 6:59 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Linklist and APF I am not sure if this is still true, but a while ago we had a problem whereby a program would only work from steplib and not a linklib. It turned out that certain options such as RENT were only enforced if the module resided in an apf authorized linklib. So our module had been link-edited with the RENT option but was not really reentrant, so it abended when the RENT attribute was enforced. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN