On Thu, Sep 5, 2019 at 7:05 AM Lennie Dymoke-Bradshaw < lenni...@rsmpartners.com> wrote:
> Bob, > > I think ITschak's words are good advice. > > However, I am concerned at your statement, > > "The problem, of course, is that if I'm authorized to submit jobs with > USER=<region> on the JOB card then I can submit ~any~ such job, to do > anything I want that the region can do." > > The CICS transaction runs under the security context of the region userid. > > Are the CICS users explicitly authorised to do job submission? > Are security checks made against the requester of the CICS transaction? > Is the CICS user involved at all? > As best as I can see, the answer is "No". The simpliest way to submit a job using CICS is the EXEC CICS SPOOLnnnn API. Just do a SPOOLOPEN with a USERID of INTRDR. Then use SPOOLWRITE to send the JCL. The submitted job will run with the userid of the CICS region, unless there is a valid USER= (and possibly PASSWORD=) on the JOB card. There is no RACF security on this that I can see. more info: https://www.ibm.com/support/knowledgecenter/en/SSGMCP_5.1.0/com.ibm.cics.ts.doc/dfht5/topics/dfht52p.html There may be a way to totally disable job submission from a CICS region using the JESSPOOL profile, but I don't know that for sure. I am guessing for the really security conscious, they could write an XEIIN exit and "do something" when a SPOOLOPEN is attempted. I guess it's a case of "trust the programmer to not introduce a security exposure" (no offense, but most programmers I know are not really security conscious -- they just want the users & management to be satisfied) > > Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd > Web: www.rsmpartners.com > ‘Dance like no one is watching. Encrypt like everyone is.’ > -- I find television very educational. The minute somebody turns it on, I go into the library and read a good book -- Groucho Marx Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
