Jesse / Skip, This is actually defined as being a requirement in "DFSMS Access Method Services Commands" SC23-6846-30. See Page 6, or just search for AUTHCMD and you will quickly find it. It states the following,
"To use IDCAMS and some of its parameters from TSO/E, your system programmer must update the system by one of these means: . Update the IKJTSOxx member of SYS1.PARMLIB. This is the method that IBM recommends. Add IDCAMS to the list of authorized programs (AUTHPGM). If you want to use SHCDS, SETCACHE, LISTDATA, DEFINE or IMPORT from TSO/E, add them (and abbreviations) to the authorized command list(AUTHCMD). . Update the IKJEGSCU CSECT instead of IKJTSOxx, see z/OS TSO/E Customization for more information." This does not introduce the exposure that placing IDCAMS into AUTHPGM does. Several forms of DEFINE require APF authorisation. Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd Web: www.rsmpartners.com ‘Dance like no one is watching. Encrypt like everyone is.’ -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Jesse 1 Robinson Sent: 04 December 2019 00:40 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [IBM-MAIN] AUTHPGM in IKJTSOxx I thought I was done with this thread, but today a new gotcha popped up. On one system, we ran out of local page space. We could log on (TSO) but could not start any task or submit any job. To avoid IPL, we needed to create another local page data set. Back in the halcyon days, if you're old enough to remember--and young enough to remember--we could use STEPCAT or JOBCAT to create page space on an adjacent system. Both of those options are long gone. Since we could logon to the depleted system, we tried using TSO DEF PAGESPACE. On the problem system, we got S338 abend. On another system, however, the command worked just fine. The actual solution was long and tortuous and not to be undertaken lightly. Afterwards, we looked in IKJTSO00. On the system where DEFINE worked, we found AUTHCMD NAMES( /* AUTHORIZED COMMANDS */ + DEFINE /* FOR AUTH AMS SVCS */ + Looks like an oversight, but in neither system did CPAC parmlib contain that line. So it may not be safe after all, but the solution undertaken is hardly safe either. It was do that or IPL. Advice? . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Seymour J Metz Sent: Wednesday, November 27, 2019 9:36 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: AUTHPGM in IKJTSOxx Well, IBM ha documented a lot of the rules for authorized code. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Michael Stein <m...@zlvfc.com> Sent: Wednesday, November 27, 2019 12:20 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AUTHPGM in IKJTSOxx On Tue, Nov 26, 2019 at 07:13:47PM +0000, Seymour J Metz wrote: > If you have update access to APF authorized libraries then you could > certainly write such a program, although a competent auditor would > read you the riot act if he found out. Exploiting a program that > follows the rules is harder. Figuring out the "rules" is hard. Following them is harder. It's very easy to get an authorized function to usually work. Writing the code so that it works and fails correctly and is secure is much harder.. For security it's usually best to let the hardware provide the security boundaries whereever possible (address space and protect keys). Write access to an APF library on a personal test system is really useful for education, development, and trying out system services. A non-shared test system doesn't have system stability or security issues to be concerned about. But be very careful NEVER to run that type of code on shared systems. I once traced instruction counts for a path of "hit enter once" type action. This involved turning on instruction fetch PER and disabled DAT off code to update a counter for each asid/instruction address. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
