So guys, stupid question what about a STC that provisions for RACF, etc. But the design is as a normal generalized user, but with a id with SPECIAL that is invoked only during the time of passing the command to RACF ? Does it have to be APF authorized for RACF command access or am i misunderstanding my readings ?
Scott On Mon, Nov 18, 2019 at 10:19 AM Charles Mills <charl...@mcn.org> wrote: > A program running APF-authorized (jobstep program or not) can pretty much > do anything it wants. Those few things it cannot do -- it can give itself > permission to do. THAT is the essence of the problem. > > So the program must be (a) designed correctly and (b) checked very > carefully before it is put in an authorized library (or, of course, the > library it is in is authorized). > > (a) would include not branching to (or modifying storage at!) addresses > that are passed from arbitrary callers (or, I suppose, random addresses). > > (a) is a serious issue. It is an easy error to design with insufficient > caution e.g. a PC linkage in which a control block is passed that contains > buffer pointers, exit routine addresses, etc. One must be very careful to > validate addresses as being appropriately accessible by the caller, and to > validate that exit routines are only passed by authorized (or the > equivalent) callers. > > Charles > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Paul Gilmartin > Sent: Sunday, November 17, 2019 5:10 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: AUTHPGM in IKJTSOxx > > ...snip ... > > I respectfully differ. A program executed as the job step task and > running in authorized state which can branch to an arbitrary address, > not necessarily an entry point, in its address space, even in its own > code, specified by a non-privileged user presents an indeterminate > hazard. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- *IDMWORKS * Scott Ford z/OS Dev. “By elevating a friend or Collegue you elevate yourself, by demeaning a friend or collegue you demean yourself” www.idmworks.com scott.f...@idmworks.com Blog: www.idmworks.com/blog *The information contained in this email message and any attachment may be privileged, confidential, proprietary or otherwise protected from disclosure. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, copying or use of this message and any attachment is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and permanently delete it from your computer and destroy any printout thereof.* ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
