I would just rather not have my cat skinned in the first place :) CSVAPF could be executed from a non-authorized with access to CSVAPF facility class I believe, I’ve seen that with universal access before. Of course, we have to make sure all those are secured but it’s not completely trivial, as we can see per the Original post
Regards Leo > On Nov 15, 2019, at 5:43 PM, Jesse 1 Robinson <jesse1.robin...@sce.com> wrote: > > Thanks for the clarification. Yes, SYS1.LPALIB is automatically APF > authorized. I believe that the whole PLPA is APF as well, although we seem to > name all the other LPALIBs explicitly. I'm sure that the CSVAPF macro > requires APF to execute. The entire linklist is APF only if that parameter is > coded in PARMLIB, otherwise each module is evaluated according to its origin. > The SETPROG command could make any library APF; it's up to the installation > to protect that command. The USS case I've not explored, but again it looks > like SAF authorization to a BPX resource is required. > > As is so often the case, there are many ways to skin a cat, but I'm convinced > that the result is all the same for the cat. > > . > . > J.O.Skip Robinson > Southern California Edison Company > Electric Dragon Team Paddler > SHARE MVS Program Co-Manager > 323-715-0595 Mobile > 626-543-6132 Office ⇐=== NEW > robin...@sce.com > > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of > Leonardo Vaz > Sent: Friday, November 15, 2019 2:12 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: (External):Re: AUTHPGM in IKJTSOxx > > The first statement is not completely true, you can have an APF authorized > USS file (just by doing extattr +a with access to BPX.FILEATTR.APF), it could > also be in the LPA where I believe all modules are loaded authorized or even > in the linklist with the parameter that defines that linklist libraries are > authorized, it could even have been added dynamically via CSVAPF macro or > system command, not necessarily it has to be in the PARMLIB APF list. > > Just thought it was worth to mention. > > Regards, > Leo > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Jesse 1 Robinson > Sent: Friday, November 15, 2019 4:45 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: AUTHPGM in IKJTSOxx > > A few points. > > -- No program can run APF (authorized) if it's fetched from a library that > itself is not named in the PARMLIB APF list, nor if the containing library is > concatenated with even a single non-APF library--which renders the entire > concatenation non-APF. > > -- Furthermore, the initial program, if fetched in a TSO address space, must > be named in the IKJTSOxx member of PARMLIB. > > There are some specific abends for violating these rules. > > -- ABEND S306 for attempting to fetch a module from a non-APF library while > running APF authorized. > > -- ABEND S047 for attempting to execute an APF-defined function when not > running APF authorized. The most notorious such function is entering > Supervisor State or a protect key other than 8. > > IBM will happily (!) take an APAR for a circumstance that violates APF > protection. > > Marking a module AC(1) is required only for the first module in a call > sequence, the but APF-residence rule applies to every subsequent module in > the call sequence. > > . > . > J.O.Skip Robinson > Southern California Edison Company > Electric Dragon Team Paddler > SHARE MVS Program Co-Manager > 323-715-0595 Mobile > 626-543-6132 Office ⇐=== NEW > robin...@sce.com > > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of > Paul Gilmartin > Sent: Friday, November 15, 2019 11:48 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: (External):Re: AUTHPGM in IKJTSOxx > >> On Wed, 13 Nov 2019 08:55:39 -0600, Jeffrey Holst wrote: >> >> Does AUTHPGM require that the specified program have a non-zero AC or that >> it be in an APF authorized library? >> >> I ask because it appears that a very clever user may have written a program >> whose name matches a program in the AUTHPGM list. The program executes a >> macro instruction that requires APF authorization. It appears that he was >> able to successfully call it from TSO. >> > What does AUTHPGM protect, or rather what security hazard does the absence of > a program from the AUTHPGM list specifically prevent? Can an expert outline > a scenario? > > -- gil > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
