Re: APF authorized, but not
It has always been the case that it is the real data set name entry in the APF list that is used for authorization, not an alias. This is documented. And the CSV_APF_EXISTS health check reports on this situation. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF authorized, but not
mvsguy wrote: I'm running a serverpac job to copy the RACF DSN to the target system. Naturally, SYS1.LINKLIB needs to be auth'd on the driver system.. I add the alias'd dsn to a temp PROGxx and switch to it. All looks good and D PROG,APF displays the alias and the correct path. However when I try to run IRRMIN00, it dies with an S330, reg15=0001. There is no joblib and the single steplib points to the alias'd dataset name. How can something show as auth'd and die with an auth abend? Regards, MVSGuy You need to APF authorize the real name, not the alias name. The alias name is only used for catalog lookup. After that the real name is used. -- Richard -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF-Authorized
In DFSMS Access Method Services for Catalogs, Appendix A. Security Authorization Levels, Table 5 lists the Required Security Authorization for Catalogs Function Performed Define Alias of UCAT Required RACF for User Catalog None Required RACF for Master CatUpdate CommentsMCAT update authority is not checked if the user has authority for the FACILITY class STGADMIN.IGG.DEFDEL.UALIAS. Brad Wissink Information Technology Services Iowa State University 515-294-3088 -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Walker Sent: Friday, November 16, 2007 3:56 PM To: IBM-MAIN@BAMA.UA.EDU Subject: APF-Authorized I'm posting this again. I apologize if this is a double-post. Ok, I'm thick. I'm trying to create an alias to a user catalog, and I'm getting bit. /* IDCAMS COMMAND */ DEFINE ALIAS (NAME(MYALIAS) - RELATE(ABC123.CATALOG) - ) IDC3018I SECURITY VERIFICATION FAILED IDC3009I ** VSAM CATALOG RETURN CODE IS 56 - REASON CODE IS IGG0CLFT-36 ** What do I need to change where so that I can create this baby? RC56 RSN36 tells me: Explanation: The caller is not authorized. When no profile exists for functions that require RACF authorization, the caller must be at least APF authorized. What exactly do I authorize? Thanks, Aaron -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
There are two ways: OK, I can't count! To paraphrase: There are 11 kinds of people in the world, those who understand base 3, and those who don't 11 (base3) equals 4 (base10), doesn't it? Maybe I just don't understand base 3. I used to know this as: There are 10 kinds of people in the world, those who understand binary, and those who don't. Peter Hunkeler CREDIT SUISSE -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Hunkeler Peter (KIUB 34) There are two ways: OK, I can't count! To paraphrase: There are 11 kinds of people in the world, those who understand base 3, and those who don't 11 (base3) equals 4 (base10), doesn't it? Maybe I just don't understand base 3. I used to know this as: There are 10 kinds of people in the world, those who understand binary, and those who don't. Inflation. See http://www.kor.dk/borge/inflate.php?url=http%3A%2F%2Fwww.kor.dk%2Fborge %2Fb-story-1.htmstyle=right or http://www.whysanity.net/monos/victor_borge.html :-) -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
In [EMAIL PROTECTED], on 07/31/2006 at 10:10 AM, Edward Jaffe [EMAIL PROTECTED] said: JSCBAUTH Thanks. On reflection I realized that it had to be there, because the bit is the same in SVS, which doesn't have an ASCB. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
On Sun, 30 Jul 2006 23:47:00 + Jeffrey D. Smith [EMAIL PROTECTED] wrote: :From: Binyamin Dissen [EMAIL PROTECTED] :Sent: 7/30/2006 10:13 AM :To: IBM-MAIN@BAMA.UA.EDU IBM-MAIN@BAMA.UA.EDU :Subject: Re: APF Authorized Code/Libraries. :On Sun, 30 Jul 2006 09:08:00 -0300 Shmuel Metz (Seymour J.) :[EMAIL PROTECTED] wrote: ::In [EMAIL PROTECTED], on ::07/28/2006 :: at 05:16 PM, Wayne Driscoll [EMAIL PROTECTED] said: ::While that is true, since non-reentrent code loaded out of an APF ::authorized library is loaded into KEY 8 storage, there is an ::integrity exposure if said code is loaded into a multi-user address ::space, since it is open to being modified (by accident or by intent) ::by a non-authorized program. ::Authorization is at the address space level. Normally it's impossible ::for authorized and unauthorized programs to run concurrently in the ::same address space. If your authorized code circumvents the normal ::safeguards then you have more serious issues than what key the code is ::loaded under. :Actually authorization is at the jobstep task level. :Some TSO commands can be attached authorized. TSO starts a parallel TMP as a jobstep task, and runs the command under it. -- Binyamin Dissen [EMAIL PROTECTED] http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
On 7/31/2006 2:44 AM, Binyamin Dissen wrote: TSO starts a parallel TMP as a jobstep task, and runs the command under it. In my experience, and from reading the code, the parallel TMP is not a jobstep task. IKJEFT01 (or one of its relatives) is the jobstep task, and the parallel TMP is merely another instance of IKJEFT02 attached as a normal subtask below IKJEFT01, with some special processing to freeze other activity while it runs. Walt Farrell, CISSP z/OS Security Design, IBM -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
In [EMAIL PROTECTED], on 07/30/2006 at 07:13 PM, Binyamin Dissen [EMAIL PROTECTED] said: Actually authorization is at the jobstep task level. Isn't the APF status in the ASCB? ASCBAUTH, as I recall. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
Shmuel Metz (Seymour J.) wrote: Isn't the APF status in the ASCB? ASCBAUTH, as I recall. JSCBAUTH -- Edward E Jaffe Phoenix Software International, Inc 5200 W Century Blvd, Suite 800 Los Angeles, CA 90045 310-338-0400 x318 [EMAIL PROTECTED] http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
Actually authorization is at the jobstep task level. Isn't the APF status in the ASCB? ASCBAUTH, as I recall. No, it is the JSCBAUTH bit in the job step control block. Hence job step level. CC -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
On Mon, 31 Jul 2006 12:14:16 -0300 Shmuel Metz (Seymour J.) [EMAIL PROTECTED] wrote: :In [EMAIL PROTECTED], on 07/30/2006 : at 07:13 PM, Binyamin Dissen [EMAIL PROTECTED] said: :Actually authorization is at the jobstep task level. :Isn't the APF status in the ASCB? ASCBAUTH, as I recall. JSCBOPTS/JSCBAUTH. -- Binyamin Dissen [EMAIL PROTECTED] http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
In [EMAIL PROTECTED], on 07/28/2006 at 05:16 PM, Wayne Driscoll [EMAIL PROTECTED] said: While that is true, since non-reentrent code loaded out of an APF authorized library is loaded into KEY 8 storage, there is an integrity exposure if said code is loaded into a multi-user address space, since it is open to being modified (by accident or by intent) by a non-authorized program. Authorization is at the address space level. Normally it's impossible for authorized and unauthorized programs to run concurrently in the same address space. If your authorized code circumvents the normal safeguards then you have more serious issues than what key the code is loaded under. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
On Sun, 30 Jul 2006 09:08:00 -0300 Shmuel Metz (Seymour J.) [EMAIL PROTECTED] wrote: :In [EMAIL PROTECTED], on :07/28/2006 : at 05:16 PM, Wayne Driscoll [EMAIL PROTECTED] said: :While that is true, since non-reentrent code loaded out of an APF :authorized library is loaded into KEY 8 storage, there is an :integrity exposure if said code is loaded into a multi-user address :space, since it is open to being modified (by accident or by intent) :by a non-authorized program. :Authorization is at the address space level. Normally it's impossible :for authorized and unauthorized programs to run concurrently in the :same address space. If your authorized code circumvents the normal :safeguards then you have more serious issues than what key the code is :loaded under. Actually authorization is at the jobstep task level. -- Binyamin Dissen [EMAIL PROTECTED] http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
== -Original Message- From: Binyamin Dissen [EMAIL PROTECTED] Sent: 7/30/2006 10:13 AM To: IBM-MAIN@BAMA.UA.EDU IBM-MAIN@BAMA.UA.EDU Subject: Re: APF Authorized Code/Libraries. On Sun, 30 Jul 2006 09:08:00 -0300 Shmuel Metz (Seymour J.) [EMAIL PROTECTED] wrote: :In [EMAIL PROTECTED], on :07/28/2006 : at 05:16 PM, Wayne Driscoll [EMAIL PROTECTED] said: :While that is true, since non-reentrent code loaded out of an APF :authorized library is loaded into KEY 8 storage, there is an :integrity exposure if said code is loaded into a multi-user address :space, since it is open to being modified (by accident or by intent) :by a non-authorized program. :Authorization is at the address space level. Normally it's impossible :for authorized and unauthorized programs to run concurrently in the :same address space. If your authorized code circumvents the normal :safeguards then you have more serious issues than what key the code is :loaded under. Actually authorization is at the jobstep task level. -- Binyamin Dissen [EMAIL PROTECTED] == Some TSO commands can be attached authorized. Jeffrey D. Smith Farsight Systems Corporation 24 BURLINGTON DR LONGMONT, CO 80501 303-774-9381 direct 303-709-8153 cell 303-484-6170 fax -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
On Fri, 28 Jul 2006 17:16:44 -0400 Wayne Driscoll [EMAIL PROTECTED] wrote: :While that is true, since non-reentrent code loaded out of an APF :authorized library is loaded into KEY 8 storage, there is an integrity :exposure if said code is loaded into a multi-user address space, since :it is open to being modified (by accident or by intent) by a :non-authorized program. Since a reentrant program loaded from an APF :authorized library is loaded into KEY 0 storage, only another authorized :program could switch to PSW key 0 and modify the storage. That is among the minor worries of trying to directly execute APF code in a multiuser address space. Besides the program itself, there is the data areas and the save areas used by the program. Such code would be best served by being executed via SVC/PC or by stopping the other tasks in the address space (as done by TSO). -- Binyamin Dissen [EMAIL PROTECTED] http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
-Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Howard Rifkind Sent: Friday, July 28, 2006 10:39 AM To: IBM-MAIN@BAMA.UA.EDU Subject: APF Authorized Code/Libraries. I just installed a new program and one of the instructions states to run the code in a particular library as APF authorized. I'm sort of confused about this. Is it o.k. to just add this library to the PROG00 member and then use some sort of SETSYS command to refresh PROG00? A parameter feed to this program at start up is supposed to tell the program to run APF authorized and I think it might have been linked edited with a parameter of 0. Does this force the need to be APF authorize? I started the program and it did come up but there isn't current work to feed to it so I can't tell anything else. Thanks. There are two ways: 1) update your current PROGxx member with the new dsn / volser, then issue the command: T PROG=xx 2) create a new PROGnn member with the new dsn / volser, issue the command: T PROG=nn Merge the changes into the IPL PROGxx member later. 3) Update the current PROGxx member, but issue the command: SETPROG APF,ADD,DSN=new.dataset.name,VOL=volser I use option #3 as it does not put any extraneous members in PARMLIB. Just to be a bit more complete, you can also remove APF authorization on-the-fly with: SETPROG APF,DELETE,DSN=old.dataset.name,VOL=volser That's just in case you get a finger check like I sometimes do. -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology This message (including any attachments) contains confidential information intended for a specific individual and purpose, and its content is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this transmission, or taking any action based on it, is strictly prohibited. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
-Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of McKown, John Sent: Friday, July 28, 2006 10:50 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: APF Authorized Code/Libraries. There are two ways: OK, I can't count! 1) update your current PROGxx member with the new dsn / volser, then issue the command: T PROG=xx 2) create a new PROGnn member with the new dsn / volser, issue the command: T PROG=nn Merge the changes into the IPL PROGxx member later. 3) Update the current PROGxx member, but issue the command: SETPROG APF,ADD,DSN=new.dataset.name,VOL=volser I use option #3 as it does not put any extraneous members in PARMLIB. Just to be a bit more complete, you can also remove APF authorization on-the-fly with: SETPROG APF,DELETE,DSN=old.dataset.name,VOL=volser That's just in case you get a finger check like I sometimes do. -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology This message (including any attachments) contains confidential information intended for a specific individual and purpose, and its content is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this transmission, or taking any action based on it, is strictly prohibited. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
== -Original Message- From: Howard Rifkind [EMAIL PROTECTED] Sent: 7/28/2006 9:38 AM To: IBM-MAIN@BAMA.UA.EDU IBM-MAIN@BAMA.UA.EDU Subject: APF Authorized Code/Libraries. I just installed a new program and one of the instructions states to run the code in a particular library as APF authorized. I'm sort of confused about this. Is it o.k. to just add this library to the PROG00 member and then use some sort of SETSYS command to refresh PROG00? A parameter feed to this program at start up is supposed to tell the program to run APF authorized and I think it might have been linked edited with a parameter of 0. Does this force the need to be APF authorize? I started the program and it did come up but there isn't current work to feed to it so I can't tell anything else. Thanks. == For testing APF programs, I would suggest using the operator command SETPROG APF,ADD,DSN=data_set_name,VOL=volume (assuming you are set up for dynamic APF libraries). The APF indicator goes away on the next IPL. When you are satisfied with the testing, then you can make permanent changes to your parmlib. When you say parameter of 0 I think you are talking about the binder parameter AC(0). If the program runs as a job-step task, then it needs AC(1). If it is not a job-step task, then it needs AC(0). Authorized programs should be reentrant (I'd like to know the reasons for a non-reentrant authorized programs -- eek!). Jeffrey D. Smith Farsight Systems Corporation 24 BURLINGTON DR LONGMONT, CO 80501 303-774-9381 direct 303-709-8153 cell 303-484-6170 fax -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Howard Rifkind I just installed a new program and one of the instructions states to run the code in a particular library as APF authorized. I'm sort of confused about this. Is it o.k. to just add this library to the PROG00 member and then use some sort of SETSYS command to refresh PROG00? If you go that route I believe the command would be SET PROG=nn. Probably simpler to add the library to your APF list in the relevant PROGnn member, then use the SETPROG command to dynamically add it to the APF list on the running system; e.g. SETPROG APF,ADD,LIB(NEW.APF.LOAD.LIBRARY),VOL(VOLSER). == Double-check the syntax. :-) A parameter feed to this program at start up is supposed to tell the program to run APF authorized and I think it might have been linked edited with a parameter of 0. Does this force the need to be APF authorize? No; some function in the program will force the need to be APF authorized. (E.g., most RACROUTE calls can be issued successfully only by authorized code.) But a requirement to run authorized *MAY* force a need to linkedit the module with AC(1). -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
Authorized programs should be reentrant (I'd like to know the reasons for a non-reentrant authorized programs -- eek!). Why do you think so? Authorization has no relation to reentrancy. -- Bruce A. Black Senior Software Developer for FDR Innovation Data Processing 973-890-7300 personal: [EMAIL PROTECTED] sales info: [EMAIL PROTECTED] tech support: [EMAIL PROTECTED] web: www.innovationdp.fdr.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
There are two ways: OK, I can't count! To paraphrase: There are 11 kinds of people in the world, those who understand base 3, and those who don't Happy Friday Tim Hare Senior Systems Programmer Florida Department of Transportation (850) 414-4209 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Tim Hare There are two ways: OK, I can't count! To paraphrase: There are 11 kinds of people in the world, those who understand base 3, and those who don't http://www.whysanity.net/monos/victor_borge.html -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
While that is true, since non-reentrent code loaded out of an APF authorized library is loaded into KEY 8 storage, there is an integrity exposure if said code is loaded into a multi-user address space, since it is open to being modified (by accident or by intent) by a non-authorized program. Since a reentrant program loaded from an APF authorized library is loaded into KEY 0 storage, only another authorized program could switch to PSW key 0 and modify the storage. Wayne Driscoll Product Developer JME Software LLC NOTE: All opinions are strictly my own. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Black Sent: Friday, July 28, 2006 11:48 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: APF Authorized Code/Libraries. Authorized programs should be reentrant (I'd like to know the reasons for a non-reentrant authorized programs -- eek!). Why do you think so? Authorization has no relation to reentrancy. -- Bruce A. Black Senior Software Developer for FDR Innovation Data Processing 973-890-7300 personal: [EMAIL PROTECTED] sales info: [EMAIL PROTECTED] tech support: [EMAIL PROTECTED] web: www.innovationdp.fdr.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
On 7/28/2006 5:17 PM, Wayne Driscoll wrote: While that is true, since non-reentrent code loaded out of an APF authorized library is loaded into KEY 8 storage, there is an integrity exposure if said code is loaded into a multi-user address space, since it is open to being modified (by accident or by intent) by a non-authorized program. Since a reentrant program loaded from an APF authorized library is loaded into KEY 0 storage, only another authorized program could switch to PSW key 0 and modify the storage. While that is true, Wayne, there are many risks with trying to do APF in a multi-user address space. By the way, loading the code from the APF library is probably not a problem in your scenario, but trying to actually run APF-authorized certainly is. And don't forget that in addition to the program storage, if you're concerned about malicious users in a multi-user address space you need to worry (at a minimum) about save areas and, in fact, all storage allocated by the authorized program. Any use of key 8 storage by the APF-authorized program in that situation is dangerous. It's very difficult to get everything right in that situation. Walt Farrell, CISSP z/OS Security Design, IBM -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
In [EMAIL PROTECTED], on 07/28/2006 at 08:38 AM, Howard Rifkind [EMAIL PROTECTED] said: Is it o.k. to just add this library to the PROG00 member and then use some sort of SETSYS command to refresh PROG00? That depends on your change control procedures. Either SET PROG= or SETPROG will work. A parameter feed to this program at start up is supposed to tell the program to run APF authorized I might believe that there is a parameter that causes the program to use facilities that require authorization. and I think it might have been linked edited with a parameter of 0. Does this force the need to be APF authorize? An authorized command or job-step program is linked with AC(1); if it's AC(0) then the ATTACH RSAPF=YES will attach it as unauthorized. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Authorized Code/Libraries.
In [EMAIL PROTECTED], on 07/28/2006 at 03:57 PM, Jeffrey D. Smith [EMAIL PROTECTED] said: Authorized programs should be reentrant All programs should be reentrant, but there's nothing special about authorized programs in that regard. If the program runs as a job-step task, then it needs AC(1). It needs AC(1) if it is attached with RSAPF=YES, which includes several cases beyond J/S task, e.g., authorized TSO command. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html