The first statement is not completely true, you can have an APF authorized USS file (just by doing extattr +a with access to BPX.FILEATTR.APF), it could also be in the LPA where I believe all modules are loaded authorized or even in the linklist with the parameter that defines that linklist libraries are authorized, it could even have been added dynamically via CSVAPF macro or system command, not necessarily it has to be in the PARMLIB APF list.
Just thought it was worth to mention. Regards, Leo -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jesse 1 Robinson Sent: Friday, November 15, 2019 4:45 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AUTHPGM in IKJTSOxx A few points. -- No program can run APF (authorized) if it's fetched from a library that itself is not named in the PARMLIB APF list, nor if the containing library is concatenated with even a single non-APF library--which renders the entire concatenation non-APF. -- Furthermore, the initial program, if fetched in a TSO address space, must be named in the IKJTSOxx member of PARMLIB. There are some specific abends for violating these rules. -- ABEND S306 for attempting to fetch a module from a non-APF library while running APF authorized. -- ABEND S047 for attempting to execute an APF-defined function when not running APF authorized. The most notorious such function is entering Supervisor State or a protect key other than 8. IBM will happily (!) take an APAR for a circumstance that violates APF protection. Marking a module AC(1) is required only for the first module in a call sequence, the but APF-residence rule applies to every subsequent module in the call sequence. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Paul Gilmartin Sent: Friday, November 15, 2019 11:48 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: AUTHPGM in IKJTSOxx On Wed, 13 Nov 2019 08:55:39 -0600, Jeffrey Holst wrote: >Does AUTHPGM require that the specified program have a non-zero AC or that it >be in an APF authorized library? > >I ask because it appears that a very clever user may have written a program >whose name matches a program in the AUTHPGM list. The program executes a macro >instruction that requires APF authorization. It appears that he was able to >successfully call it from TSO. > What does AUTHPGM protect, or rather what security hazard does the absence of a program from the AUTHPGM list specifically prevent? Can an expert outline a scenario? -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
