To reinforce Tony's point: ultimate control resides with SAF update authority to any and all authorized libraries. If that control is compromised, there is NOTHING that MVS can do to prevent mischief.
. . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Tony Harminc Sent: Friday, November 15, 2019 10:19 AM To: [email protected] Subject: (External):Re: AUTHPGM in IKJTSOxx On Wed, 13 Nov 2019 at 09:56, Jeffrey Holst <[email protected]> wrote: > > Does AUTHPGM require that the specified program have a non-zero AC or that it > be in an APF authorized library? Both. > I ask because it appears that a very clever user may have written a program > whose name matches a program in the AUTHPGM list. The program executes a > macro instruction that requires APF authorization. It appears that he was > able to successfully call it from TSO. If the user has write access to an APF authorized library (including any library in linklist), then all is lost - the user can do anything. If the user does not have such write access, then how did s/he invoke this bogus program? With TSO CALL specifying a dataset name? If an unauthorized library is in the STEPLIB (or TSOLIB defined library or is the library specified on the CALL command), and the module name is defined in AUTHPGM, then it should get an abend S306 and/or a message from TSO saying that it can't be invoked. In passing, anyone can create a load module/Program Object that has AC(1). This is just a mark by the creator that this module is intended to be safely invoked as the first module in a job step or directly as a TSO command. It bestows no APF authorization by itself. > If this is the case, is there a way to secure this. If this is not supposed > to work this way, this would seem to be an integrity issue that is worthy of > a PMR. I'm sure IBM will treat it very seriously if you can demonstrate that a user with *no write access to an APF authorized library* can have their own program - no matter what it's named - invoked in an authorized state. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
