Re: Authorized Rexx Assembler Function
Well, since we all know the answers this is simply a discussion. But, Yes, that Is what I want to do... or more specifically what I want to discuss. x = foo( bar) where foo is an assembler function running authorized. But I know two ways to do this that do not violate any system integrity rules. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Shmuel Metz (Seymour J.) Sent: Friday, December 31, 2010 7:29 PM To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function In 0377b9a583fd0e4aacd676ee33ee994b4875a...@sdkmail13.emea.sas.com, on 12/31/2010 at 02:56 PM, Lindy Mayfield lindy.mayfi...@ssf.sas.com said: That is exactly what I meant by my question. Rexx assembler function, authorized properly, put into the TSO command IKJTSOxx table, won't run authorized. If you really mean function, then there is no mechanism, nor should there be. IKJTSOxx is for authorized commands, authorized programs and authorized services, not for functions. Are you saying that you want to write foo=bar(baz) or call bar baz rather than address TSO bar baz and have baz run authorized? -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
On Thu, 30 Dec 2010 13:47:19 -0500, Shmuel Metz (Seymour J.) shmuel+ibm-m...@patriot.net wrote: In listserv%201012290646331895.0...@bama.ua.edu, on 12/29/2010 at 06:46 AM, Walt Farrell wfarr...@us.ibm.com said: (1) Normal Rexx environments (as extablished by TSO or by IRXEXEC in batch) do not themselves run authorized. I'm confused. The question did not concern the EXEC command, it concerned a user written command that was AC(1), in an authorized library and in the authorized command table. Given that, it would receive control as APF authorized. The first thing that the compiled code would do would be to set up a REXX environment, but I'm not aware of anything that would turn off JSCBPASS at that point. I believe the question I responded to was, approximately, why can't my Rexx function, written in assembler, run authorized? It was not about user-written commands, but Rexx functions, as I understand it. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
That is exactly what I meant by my question. Rexx assembler function, authorized properly, put into the TSO command IKJTSOxx table, won't run authorized. We went already over at least twice how to do it 1) properly, and 2) Don't do it, looking for trouble, it ain't my dog, etc. My why wasn't a whine why, or a complain why, simply a curiosity about the reasons behind the design. Thank you and I wish all my IBM-MAIN friends a wonderful new year. Lindy -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Walt Farrell I believe the question I responded to was, approximately, why can't my Rexx function, written in assembler, run authorized? It was not about user-written commands, but Rexx functions, as I understand it. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
In 0377b9a583fd0e4aacd676ee33ee994b4875a...@sdkmail13.emea.sas.com, on 12/31/2010 at 02:56 PM, Lindy Mayfield lindy.mayfi...@ssf.sas.com said: That is exactly what I meant by my question. Rexx assembler function, authorized properly, put into the TSO command IKJTSOxx table, won't run authorized. If you really mean function, then there is no mechanism, nor should there be. IKJTSOxx is for authorized commands, authorized programs and authorized services, not for functions. Are you saying that you want to write foo=bar(baz) or call bar baz rather than address TSO bar baz and have baz run authorized? -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
In listserv%201012310634190927.0...@bama.ua.edu, on 12/31/2010 at 06:34 AM, Walt Farrell wfarr...@us.ibm.com said: I believe the question I responded to was, approximately, why can't my Rexx function, written in assembler, run authorized? The OP mention using the REXX compiler, linking AC(1), using an authorized library and adding it to the authorized command list. The only thing missing was a PARMLIB command or an IPL to activate the new list. It was not about user-written commands, See above. but Rexx functions, If you call it from the READY prompt then it's a command, not a function. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
In listserv%201012290646331895.0...@bama.ua.edu, on 12/29/2010 at 06:46 AM, Walt Farrell wfarr...@us.ibm.com said: (1) Normal Rexx environments (as extablished by TSO or by IRXEXEC in batch) do not themselves run authorized. I'm confused. The question did not concern the EXEC command, it concerned a user written command that was AC(1), in an authorized library and in the authorized command table. Given that, it would receive control as APF authorized. The first thing that the compiled code would do would be to set up a REXX environment, but I'm not aware of anything that would turn off JSCBPASS at that point. That said, I would advise against it even if it works, but it's not my dog. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
In 985915eee6984740ae93f8495c624c6c21cf025...@jscpcwexmaa1.bsg.ad.adp.com, on 12/28/2010 at 05:27 PM, Farley, Peter x23353 peter.far...@broadridge.com said: If you have the REXX compiler and you use the compiler to create a REXX load module and you authorize that load module and store it in an APF-authorized library and specify that load module name in IKJTSOxx, would that compiled REXX get control in an authorized state when invoked as a command? Probably. It's not my dog. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
On Wed, 29 Dec 2010 02:05:45 +0100, Lindy Mayfield lindy.mayfi...@ssf.sas.com wrote: I am sorry, I only mean to educate myself. You explain the behavior, IMHO, but you don't say why. OR you said why and I didn't get it. Why can I not create a Rexx function that is authorized? (I do NOT want to, I'm just curious. I KNOW how to make it happen in various ways, some that violate system integrity, and some that don't). (1) Normal Rexx environments (as extablished by TSO or by IRXEXEC in batch) do not themselves run authorized. (2) Programs only run APF-authorized when they're started by something that is already running APF-authorized or in supervisor state or system key. A program that is not running authorized can not invoke another program directly (CALL, LINK, ATTACH, XCTL) and have it run authorized. Therefore, since Rexx itself is not running authorized, your Rexx exec cannot simply call another program and have that program run authorized. It could: (a) use IKJEFTSR to invoke a program listed in IKJTSOxx and have that program run authorized, if it's running under the TSO TMP; or (b) use a UNIX spawn() or fork()/exec() to run an authorized program in a different address space; or (c) use AXR (System Rexx) functions to run a System Rexx exec in an authorized environment. But it can not simply use a Rexx call instruction, nor address LINKPGM (or LINKMVS, ATTCHMVS, ATTCHPGM, etc.), to invoke it, if it needs to run authorized. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
On Wed, 29 Dec 2010 06:46:33 -0600, Walt Farrell wrote: It could: (b) use a UNIX spawn() or fork()/exec() to run an authorized program in a different address space; or PITA. If only BPX1EXM provided a facility for the parent to specify DDNAME allocations in the forked child it would be much better. I supposed an authorized wrapper could perform the function. But it would need to validate its arguments thoroughly, of course. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
By asking these questions, I'm only curious, learning, and want to know as much about z/OS as I can. Having said that... What exactly happens to cause an authorized Rexx assembler function to be un-authorized, even if AC(1) and run from an authorized library? Do you mainipulate the JSCBAUTH? Do you somehow mark the library as unathorized? (or is that the same thing?) Or is this simply a part of TSO? Then why not let me simply add it to the IKJTSOxx? (I realize that some or all of the above shows a lack of knowledge about TSO and authorized stuff.) And if you know, why was it designed this way? Thank you! Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Peter Relson [rel...@us.ibm.com] Sent: 23 December 2010 16:00 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function Call an SVC that flips the JSCBAUTH bit back on. DO NOT DO THIS. In the general case there is no way to do this without introducing system integrity problems. And also do not use an SVC to return control to an unauthorized caller in an authorized state. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
The short version goes like this, at least it used to work this way. It probably still does. IKJEFT01 (the READY prompt) is authorized. For every command that is run, it attaches IKJEFT02 to process the command. IKJEFT02 in turn checks to see if the command being run is in the authorized command list in IKJTSOxx. If it is, it directly attaches the command, which is still authorized. If it is not in the table, it attaches IKJEFT09 to attach the command. IKJEFT09 is unauthorized, and therefore the command can not be authorized. IKJEFT01 (authorized) --attach-- IKJEFT02 (authorized) --attach-- command (authorized) IKJEFT01 (authorized) --attach-- IKJEFT02 (authorized) --attach-- IKJEFT09 (non-authorized) --attach-- command (non-authorized) Hayim _ Hayim Sokolsky, CISSP Mainframe Security Architect DTCC Corporate Information Security 18301 Bermuda Green Dr, MS 1-CIS Tampa FL 33647-1760 Tel. (813) 470-2177 IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu wrote on 2010.12.28 14:51:07: By asking these questions, I'm only curious, learning, and want to know as much about z/OS as I can. Having said that... What exactly happens to cause an authorized Rexx assembler function to be un-authorized, even if AC(1) and run from an authorized library? Do you mainipulate the JSCBAUTH? Do you somehow mark the library as unathorized? (or is that the same thing?) Or is this simply a part of TSO? Then why not let me simply add it to the IKJTSOxx? (I realize that some or all of the above shows a lack of knowledge about TSO and authorized stuff.) And if you know, why was it designed this way? Thank you! Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Peter Relson [rel...@us.ibm.com] Sent: 23 December 2010 16:00 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function Call an SVC that flips the JSCBAUTH bit back on. DO NOT DO THIS. In the general case there is no way to do this without introducing system integrity problems. And also do not use an SVC to return control to an unauthorized caller in an authorized state. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html BR_ FONT size=2BR DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email./FONT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Thank you, Hayim. That makes sense. I guess the even shorter version is that if it isn't in IKJTSOxx it won't run authorized. It doesn't, at least to me yet, explain why a Rexx assembler function, even if it meets all the criteria of a TSO command, APF, in IKJTSOxx, that it won't run authorized. Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Hayim Sokolsky [hsokol...@dtcc.com] Sent: 28 December 2010 22:18 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function The short version goes like this, at least it used to work this way. It probably still does. IKJEFT01 (the READY prompt) is authorized. For every command that is run, it attaches IKJEFT02 to process the command. IKJEFT02 in turn checks to see if the command being run is in the authorized command list in IKJTSOxx. If it is, it directly attaches the command, which is still authorized. If it is not in the table, it attaches IKJEFT09 to attach the command. IKJEFT09 is unauthorized, and therefore the command can not be authorized. IKJEFT01 (authorized) --attach-- IKJEFT02 (authorized) --attach-- command (authorized) IKJEFT01 (authorized) --attach-- IKJEFT02 (authorized) --attach-- IKJEFT09 (non-authorized) --attach-- command (non-authorized) Hayim _ Hayim Sokolsky, CISSP Mainframe Security Architect DTCC Corporate Information Security 18301 Bermuda Green Dr, MS 1-CIS Tampa FL 33647-1760 Tel. (813) 470-2177 IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu wrote on 2010.12.28 14:51:07: By asking these questions, I'm only curious, learning, and want to know as much about z/OS as I can. Having said that... What exactly happens to cause an authorized Rexx assembler function to be un-authorized, even if AC(1) and run from an authorized library? Do you mainipulate the JSCBAUTH? Do you somehow mark the library as unathorized? (or is that the same thing?) Or is this simply a part of TSO? Then why not let me simply add it to the IKJTSOxx? (I realize that some or all of the above shows a lack of knowledge about TSO and authorized stuff.) And if you know, why was it designed this way? Thank you! Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Peter Relson [rel...@us.ibm.com] Sent: 23 December 2010 16:00 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function Call an SVC that flips the JSCBAUTH bit back on. DO NOT DO THIS. In the general case there is no way to do this without introducing system integrity problems. And also do not use an SVC to return control to an unauthorized caller in an authorized state. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html BR_ FONT size=2BR DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email./FONT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Lindy, The function is NOT invoked as COMMAND. Therefore it can't be APF. Hayim _ Hayim Sokolsky, CISSP Mainframe Security Architect DTCC Corporate Information Security 18301 Bermuda Green Dr, MS 1-CIS Tampa FL 33647-1760 Tel. (813) 470-2177 IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu wrote on 2010.12.28 15:34:48: Thank you, Hayim. That makes sense. I guess the even shorter version is that if it isn't in IKJTSOxx it won't run authorized. It doesn't, at least to me yet, explain why a Rexx assembler function, even if it meets all the criteria of a TSO command, APF, in IKJTSOxx, that it won't run authorized. Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Hayim Sokolsky [hsokol...@dtcc.com] Sent: 28 December 2010 22:18 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function The short version goes like this, at least it used to work this way. It probably still does. IKJEFT01 (the READY prompt) is authorized. For every command that is run, it attaches IKJEFT02 to process the command. IKJEFT02 in turn checks to see if the command being run is in the authorized command list in IKJTSOxx. If it is, it directly attaches the command, which is still authorized. If it is not in the table, it attaches IKJEFT09 to attach the command. IKJEFT09 is unauthorized, and therefore the command can not be authorized. IKJEFT01 (authorized) --attach-- IKJEFT02 (authorized) --attach-- command (authorized) IKJEFT01 (authorized) --attach-- IKJEFT02 (authorized) --attach-- IKJEFT09 (non-authorized) --attach-- command (non-authorized) Hayim _ Hayim Sokolsky, CISSP Mainframe Security Architect DTCC Corporate Information Security 18301 Bermuda Green Dr, MS 1-CIS Tampa FL 33647-1760 Tel. (813) 470-2177 IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu wrote on 2010.12.28 14:51:07: By asking these questions, I'm only curious, learning, and want to know as much about z/OS as I can. Having said that... What exactly happens to cause an authorized Rexx assembler function to be un-authorized, even if AC(1) and run from an authorized library? Do you mainipulate the JSCBAUTH? Do you somehow mark the library as unathorized? (or is that the same thing?) Or is this simply a part of TSO? Then why not let me simply add it to the IKJTSOxx? (I realize that some or all of the above shows a lack of knowledge about TSO and authorized stuff.) And if you know, why was it designed this way? Thank you! Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Peter Relson [rel...@us.ibm.com] Sent: 23 December 2010 16:00 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function Call an SVC that flips the JSCBAUTH bit back on. DO NOT DO THIS. In the general case there is no way to do this without introducing system integrity problems. And also do not use an SVC to return control to an unauthorized caller in an authorized state. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html BR_ FONT size=2BR DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email./FONT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives
Re: Authorized Rexx Assembler Function
How then? And why not? Or is that another stupid question of mine? But oh I know exactly what you mean in one context. It is trivial to write a command that uses IKJCT441 to update Rexx variables and call it from a Rexx program. Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Hayim Sokolsky [hsokol...@dtcc.com] Sent: 28 December 2010 23:01 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function Lindy, The function is NOT invoked as COMMAND. Therefore it can't be APF. Hayim _ Hayim Sokolsky, CISSP Mainframe Security Architect DTCC Corporate Information Security 18301 Bermuda Green Dr, MS 1-CIS Tampa FL 33647-1760 Tel. (813) 470-2177 IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu wrote on 2010.12.28 15:34:48: Thank you, Hayim. That makes sense. I guess the even shorter version is that if it isn't in IKJTSOxx it won't run authorized. It doesn't, at least to me yet, explain why a Rexx assembler function, even if it meets all the criteria of a TSO command, APF, in IKJTSOxx, that it won't run authorized. Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Hayim Sokolsky [hsokol...@dtcc.com] Sent: 28 December 2010 22:18 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function The short version goes like this, at least it used to work this way. It probably still does. IKJEFT01 (the READY prompt) is authorized. For every command that is run, it attaches IKJEFT02 to process the command. IKJEFT02 in turn checks to see if the command being run is in the authorized command list in IKJTSOxx. If it is, it directly attaches the command, which is still authorized. If it is not in the table, it attaches IKJEFT09 to attach the command. IKJEFT09 is unauthorized, and therefore the command can not be authorized. IKJEFT01 (authorized) --attach-- IKJEFT02 (authorized) --attach-- command (authorized) IKJEFT01 (authorized) --attach-- IKJEFT02 (authorized) --attach-- IKJEFT09 (non-authorized) --attach-- command (non-authorized) Hayim _ Hayim Sokolsky, CISSP Mainframe Security Architect DTCC Corporate Information Security 18301 Bermuda Green Dr, MS 1-CIS Tampa FL 33647-1760 Tel. (813) 470-2177 IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu wrote on 2010.12.28 14:51:07: By asking these questions, I'm only curious, learning, and want to know as much about z/OS as I can. Having said that... What exactly happens to cause an authorized Rexx assembler function to be un-authorized, even if AC(1) and run from an authorized library? Do you mainipulate the JSCBAUTH? Do you somehow mark the library as unathorized? (or is that the same thing?) Or is this simply a part of TSO? Then why not let me simply add it to the IKJTSOxx? (I realize that some or all of the above shows a lack of knowledge about TSO and authorized stuff.) And if you know, why was it designed this way? Thank you! Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Peter Relson [rel...@us.ibm.com] Sent: 23 December 2010 16:00 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function Call an SVC that flips the JSCBAUTH bit back on. DO NOT DO THIS. In the general case there is no way to do this without introducing system integrity problems. And also do not use an SVC to return control to an unauthorized caller in an authorized state. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html BR_ FONT size=2BR DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email./FONT
Re: Authorized Rexx Assembler Function
By architecture, REXX functions are executed in an environment where: -The psw key is 8 -The psw indicates problem state -The JSCBAUTH bit is zero. When the JSCBAUTH bit is zero the MODESET macro will get a S047 abend when executed. Therefore rexx functions cannot get into an authorized state using MODESET. This should eliminate the possibility of directly coding the authorized code in the rexx function unless you bypass z/OS system integrity. To get into an authorized state should require use of a SVC, a PC routine, or the IKJEFTSR TSO function. There are probably some items I am leaving out but you need to understand the environment the rexx functions get control in. That will dictate what options you have for doing something authorized. I hope this helps. On 12/28/2010 15:03 PM, Lindy Mayfield wrote: How then? And why not? Or is that another stupid question of mine? But oh I know exactly what you mean in one context. It is trivial to write a command that uses IKJCT441 to update Rexx variables and call it from a Rexx program. Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Hayim Sokolsky [hsokol...@dtcc.com] Sent: 28 December 2010 23:01 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function Lindy, The function is NOT invoked as COMMAND. Therefore it can't be APF. Hayim _ Hayim Sokolsky, CISSP Mainframe Security Architect DTCC Corporate Information Security 18301 Bermuda Green Dr, MS 1-CIS Tampa FL 33647-1760 Tel. (813) 470-2177 IBM Mainframe Discussion ListIBM-MAIN@bama.ua.edu wrote on 2010.12.28 15:34:48: Thank you, Hayim. That makes sense. I guess the even shorter version is that if it isn't in IKJTSOxx it won't run authorized. It doesn't, at least to me yet, explain why a Rexx assembler function, even if it meets all the criteria of a TSO command, APF, in IKJTSOxx, that it won't run authorized. Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Hayim Sokolsky [hsokol...@dtcc.com] Sent: 28 December 2010 22:18 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function The short version goes like this, at least it used to work this way. It probably still does. IKJEFT01 (the READY prompt) is authorized. For every command that is run, it attaches IKJEFT02 to process the command. IKJEFT02 in turn checks to see if the command being run is in the authorized command list in IKJTSOxx. If it is, it directly attaches the command, which is still authorized. If it is not in the table, it attaches IKJEFT09 to attach the command. IKJEFT09 is unauthorized, and therefore the command can not be authorized. IKJEFT01 (authorized) --attach-- IKJEFT02 (authorized) --attach-- command (authorized) IKJEFT01 (authorized) --attach-- IKJEFT02 (authorized) --attach-- IKJEFT09 (non-authorized) --attach-- command (non-authorized) Hayim _ Hayim Sokolsky, CISSP Mainframe Security Architect DTCC Corporate Information Security 18301 Bermuda Green Dr, MS 1-CIS Tampa FL 33647-1760 Tel. (813) 470-2177 IBM Mainframe Discussion ListIBM-MAIN@bama.ua.edu wrote on 2010.12.28 14:51:07: By asking these questions, I'm only curious, learning, and want to know as much about z/OS as I can. Having said that... What exactly happens to cause an authorized Rexx assembler function to be un-authorized, even if AC(1) and run from an authorized library? Do you mainipulate the JSCBAUTH? Do you somehow mark the library as unathorized? (or is that the same thing?) Or is this simply a part of TSO? Then why not let me simply add it to the IKJTSOxx? (I realize that some or all of the above shows a lack of knowledge about TSO and authorized stuff.) And if you know, why was it designed this way? Thank you! Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Peter Relson [rel...@us.ibm.com] Sent: 23 December 2010 16:00 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function Call an SVC that flips the JSCBAUTH bit back on. DO NOT DO THIS. In the general case there is no way to do this without introducing system integrity problems. And also do not use an SVC to return control to an unauthorized caller in an authorized state. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access
Re: Authorized Rexx Assembler Function
Here's some wild speculation that I can't test (no access to IKJTSOxx), so please be gentle. If you have the REXX compiler and you use the compiler to create a REXX load module and you authorize that load module and store it in an APF-authorized library and specify that load module name in IKJTSOxx, would that compiled REXX get control in an authorized state when invoked as a command? And if so, would an authorized assembler subroutine dynamically invoked (LINKPGM or LINKMVS) by the REXX load module also be invoked in an authorized state? Or would the LINKPGM/LINKMVS mechanism wind up causing authorization to be lost? Peter -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Ray Overby Sent: Tuesday, December 28, 2010 5:13 PM To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function By architecture, REXX functions are executed in an environment where: -The psw key is 8 -The psw indicates problem state -The JSCBAUTH bit is zero. When the JSCBAUTH bit is zero the MODESET macro will get a S047 abend when executed. Therefore rexx functions cannot get into an authorized state using MODESET. This should eliminate the possibility of directly coding the authorized code in the rexx function unless you bypass z/OS system integrity. To get into an authorized state should require use of a SVC, a PC routine, or the IKJEFTSR TSO function. There are probably some items I am leaving out but you need to understand the environment the rexx functions get control in. That will dictate what options you have for doing something authorized. I hope this helps. -- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
I am sorry, I only mean to educate myself. You explain the behavior, IMHO, but you don't say why. OR you said why and I didn't get it. Why can I not create a Rexx function that is authorized? (I do NOT want to, I'm just curious. I KNOW how to make it happen in various ways, some that violate system integrity, and some that don't). Lindy -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Ray Overby Sent: Wednesday, December 29, 2010 12:13 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function By architecture, REXX functions are executed in an environment where: -The psw key is 8 -The psw indicates problem state -The JSCBAUTH bit is zero. When the JSCBAUTH bit is zero the MODESET macro will get a S047 abend when executed. Therefore rexx functions cannot get into an authorized state using MODESET. This should eliminate the possibility of directly coding the authorized code in the rexx function unless you bypass z/OS system integrity. To get into an authorized state should require use of a SVC, a PC routine, or the IKJEFTSR TSO function. There are probably some items I am leaving out but you need to understand the environment the rexx functions get control in. That will dictate what options you have for doing something authorized. I hope this helps. On 12/28/2010 15:03 PM, Lindy Mayfield wrote: How then? And why not? Or is that another stupid question of mine? But oh I know exactly what you mean in one context. It is trivial to write a command that uses IKJCT441 to update Rexx variables and call it from a Rexx program. Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Hayim Sokolsky [hsokol...@dtcc.com] Sent: 28 December 2010 23:01 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function Lindy, The function is NOT invoked as COMMAND. Therefore it can't be APF. Hayim _ Hayim Sokolsky, CISSP Mainframe Security Architect DTCC Corporate Information Security 18301 Bermuda Green Dr, MS 1-CIS Tampa FL 33647-1760 Tel. (813) 470-2177 IBM Mainframe Discussion ListIBM-MAIN@bama.ua.edu wrote on 2010.12.28 15:34:48: Thank you, Hayim. That makes sense. I guess the even shorter version is that if it isn't in IKJTSOxx it won't run authorized. It doesn't, at least to me yet, explain why a Rexx assembler function, even if it meets all the criteria of a TSO command, APF, in IKJTSOxx, that it won't run authorized. Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Hayim Sokolsky [hsokol...@dtcc.com] Sent: 28 December 2010 22:18 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function The short version goes like this, at least it used to work this way. It probably still does. IKJEFT01 (the READY prompt) is authorized. For every command that is run, it attaches IKJEFT02 to process the command. IKJEFT02 in turn checks to see if the command being run is in the authorized command list in IKJTSOxx. If it is, it directly attaches the command, which is still authorized. If it is not in the table, it attaches IKJEFT09 to attach the command. IKJEFT09 is unauthorized, and therefore the command can not be authorized. IKJEFT01 (authorized) --attach-- IKJEFT02 (authorized) --attach-- command (authorized) IKJEFT01 (authorized) --attach-- IKJEFT02 (authorized) --attach-- IKJEFT09 (non-authorized) --attach-- command (non-authorized) Hayim _ Hayim Sokolsky, CISSP Mainframe Security Architect DTCC Corporate Information Security 18301 Bermuda Green Dr, MS 1-CIS Tampa FL 33647-1760 Tel. (813) 470-2177 IBM Mainframe Discussion ListIBM-MAIN@bama.ua.edu wrote on 2010.12.28 14:51:07: By asking these questions, I'm only curious, learning, and want to know as much about z/OS as I can. Having said that... What exactly happens to cause an authorized Rexx assembler function to be un-authorized, even if AC(1) and run from an authorized library? Do you mainipulate the JSCBAUTH? Do you somehow mark the library as unathorized? (or is that the same thing?) Or is this simply a part of TSO? Then why not let me simply add it to the IKJTSOxx? (I realize that some or all of the above shows a lack of knowledge about TSO and authorized stuff.) And if you know, why was it designed this way? Thank you! Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Peter Relson [rel...@us.ibm.com] Sent: 23 December 2010 16:00 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function Call an SVC that flips
Re: Authorized Rexx Assembler Function
At 13:25 -0500 on 12/25/2010, Tom Russell wrote about Re: Authorized Rexx Assembler Function: Date:Fri, 24 Dec 2010 08:54:10 -0600 From:Dana Mitchell mitchd...@gmail.com Subject: Re: Authorized Rexx Assembler Function On Thu, 23 Dec 2010 21:40:27 -0500, Robert A. Rosenberg hal9...@panix.com wrote: As to the need for a Magic SVC, I may be wrong but I have a vague memory of an IBM supplied program (possibly in the MVS days) that had (or needed) a Magic SVC to do one of its functions. Dana SPF shipped SPFCOPY, which was a magic SVC that allowed IEBCOPY run in the foreground to allow a PDS Compress in TSO/SPF 3.something. The code had limited checking, in that it purported to check that the caller was in LPA. This check could be spoofed when MVS/XA came out. The program became obsolete when IBM formally allowed authorized programs to run in TSO. regards, Tom Tom Russell Thank you for verifying my memory. That was the program and use I will thinking of. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
I do remember using a magic SVC to manipulate the JSCBAUTH bit. but this was not a production envirnmentin fact it was running MVS guests under VM, and then running NETVIEW under TSO, to make use of a debug tool similar to the HLSAM Assembler Toolkit Debugger. Netview runs authorised.but the REXX logging exit would only process EXECIO commands non-authorised.so the REXX logging exit would call the magic SVC to turn off the JSCBAUTH bit to write log entries...then turn it back on... the result was a perfect source level log of all debug activities while testing code changes running under Netview. Regards Bruce Hewson -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Once upon a time an ISV source control product halted a five 9s data centre. The product required a STC which naturally was APFed. The STC GETMAINed in CSA, of course pagefixed, moved code to that location, searched for an empty entry and updated the ESR SVCtable (109 - 3/4) and finally inserted its ID into the SSVT with the ESR number. The client (TSO) code scanned the SSVT and finding the ESR value, called the 'magic' code to flip the JSCBAUTH. The product used XM to transfer data but the performance was so abysmal that many developers ATTN-tioned out of TSO leaving the ASVT entry marked as non-reusable sigh Eventually address space creation became impossible. Just say NO. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Date:Fri, 24 Dec 2010 08:54:10 -0600 From:Dana Mitchell mitchd...@gmail.com Subject: Re: Authorized Rexx Assembler Function On Thu, 23 Dec 2010 21:40:27 -0500, Robert A. Rosenberg hal9...@panix.com wrote: As to the need for a Magic SVC, I may be wrong but I have a vague memory of an IBM supplied program (possibly in the MVS days) that had (or needed) a Magic SVC to do one of its functions. Could you possbly be thinking of an early version of SDSF? Back when it was an IUP? Dana SPF shipped SPFCOPY, which was a magic SVC that allowed IEBCOPY run in the foreground to allow a PDS Compress in TSO/SPF 3.something. The code had limited checking, in that it purported to check that the caller was in LPA. This check could be spoofed when MVS/XA came out. The program became obsolete when IBM formally allowed authorized programs to run in TSO. regards, Tom Tom Russell Stay calm. Be brave. Wait for the signs. ─ Jasper FriendlyBear ... and remember to leave good news alone. ─ Gracie HeavyHand
Re: Authorized Rexx Assembler Function
David: IBM had the same issue with PSF. It caused many an IPL to get more asid's.IBM sort of (in my opinion) fix it with the reus of ASID's. From rather a poor memorythey(IBM) did not indicate what the side effects of doing so.Ed --- On Sat, 12/25/10, David Stern capomaes...@attglobal.net wrote: From: David Stern capomaes...@attglobal.net Subject: Re: Authorized Rexx Assembler Function To: IBM-MAIN@bama.ua.edu Date: Saturday, December 25, 2010, 4:03 AM Once upon a time an ISV source control product halted a five 9s data centre. The product required a STC which naturally was APFed. The STC GETMAINed in CSA, of course pagefixed, moved code to that location, searched for an empty entry and updated the ESR SVCtable (109 - 3/4) and finally inserted its ID into the SSVT with the ESR number. The client (TSO) code scanned the SSVT and finding the ESR value, called the 'magic' code to flip the JSCBAUTH. The product used XM to transfer data but the performance was so abysmal that many developers ATTN-tioned out of TSO leaving the ASVT entry marked as non-reusable sigh Eventually address space creation became impossible. Just say NO. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
On Fri, 24 Dec 2010 08:16:27 +0930 Anthony Thompson anthony.thomp...@nt.gov.au wrote: :Type 1/6 can't XCTL either, so I suspect not, let alone the associated fastauth exit. You're welcome to try tho. Don't see any connection between FASTAUTH and XCTL, and FASTAUTH is documented as being callable in locked mode. Even the old FRACHECK used a branch entry. :-Original Message- :From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Binyamin Dissen :Sent: Friday, 24 December 2010 8:09 AM :To: IBM-MAIN@bama.ua.edu :Subject: Re: Authorized Rexx Assembler Function : :On Fri, 24 Dec 2010 07:50:12 +0930 Anthony Thompson :anthony.thomp...@nt.gov.au wrote: : ::I'll just point out that Type 1 and Type 6 SVC's cannot themselves issue SVC calls (i.e. call RACF). Doesn't matter if your SVC just lives in LPA. : :They can't do FASTAUTH? -- Binyamin Dissen bdis...@dissensoftware.com http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
In 45b7288bec7648468f3309472e0f960db8856d9...@emdpb-es1.prod.main.ntgov, on 12/24/2010 at 07:50 AM, Anthony Thompson anthony.thomp...@nt.gov.au said: I'll just point out that Type 1 and Type 6 SVC's cannot themselves issue SVC calls (i.e. call RACF). Isn't there a system linkage for SAF that a type 6 SVC can use? -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
On Thu, 23 Dec 2010 21:40:27 -0500, Robert A. Rosenberg hal9...@panix.com wrote: As to the need for a Magic SVC, I may be wrong but I have a vague memory of an IBM supplied program (possibly in the MVS days) that had (or needed) a Magic SVC to do one of its functions. Could you possbly be thinking of an early version of SDSF? Back when it was an IUP? Dana -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Call an SVC that flips the JSCBAUTH bit back on. DO NOT DO THIS. In the general case there is no way to do this without introducing system integrity problems. And also do not use an SVC to return control to an unauthorized caller in an authorized state. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Not to mention the grief you would get from your auditors -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Peter Relson Sent: Thursday, December 23, 2010 9:00 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function Call an SVC that flips the JSCBAUTH bit back on. DO NOT DO THIS. In the general case there is no way to do this without introducing system integrity problems. And also do not use an SVC to return control to an unauthorized caller in an authorized state. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
In f393f47ecbe9fc4aa71b2a242c0b689512eff63...@hfdpmsgcms01.aeth.aetna.com, on 12/23/2010 at 09:15 AM, Veilleux, Jon L veilleu...@aetna.com said: Not to mention the grief you would get from your auditors I wish; the last time that I dealt with an auditor in that context, he pick up an imaginary integrity exposure but failed to notice the hole big enough to float an aircraft carrier through. I was, alas, under orders to not point out the real exposure. Just once I would like to encounter an auditor experienced enough to find real problems before they can bite me, instead of reading a worthless cookbook. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Do you really think most auditors would notice something like that? Most of the few auditors I worked with didn't know much about MVS, although I did work with one that really knew his stuff. Of course, if you introduced instability to your system, the auditors would notice that, but then you'd have a lot more problems than just the auditors. Eric Bielefeld Sr. Systems Programmer IBM Global Services Division Dubuque, Iowa 414-477-7259 - Original Message - From: Veilleux, Jon L veilleu...@aetna.com Not to mention the grief you would get from your auditors Call an SVC that flips the JSCBAUTH bit back on. DO NOT DO THIS. In the general case there is no way to do this without introducing system integrity problems. And also do not use an SVC to return control to an unauthorized caller in an authorized state. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Thank you as always. I was simply exploring again the different ways of running authorized code from a Rexx assembler function (or a tso command called by it). I wanted only to keep my list updated. You stated very clearly when we had this discussion 2 or 3 years ago NOT to play with the JSCBAUTH. As you said before, it is a recipe for disaster. I wouldn't do it, but I was just curious about some of the reasons. Just out of curiousity. Why use a SVC? Back during this discussion it was stated as one way of having a Rexx assembler function do some authorized stuff. Someone said that an SVC or PC routine was one way. And for sure IKJEFTSR is one good way to go. Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Rob Scott [rsc...@rocketsoftware.com] Sent: 22 December 2010 17:33 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function Lindy Why use an SVC? What is wrong with IKJEFTSR? If you *must* use a SVC to perform some sort of discrete auth-function for an unauth caller, then it would be responsible to provide some sort of SAF check to ensure the caller is allowed. I am assuming here that your SVC is returning to the caller in exactly the same state as when called - do NOT attempt to flip JSCBAUTH or any other auth-boost using an SVC regardless of SAF check being present or not. Personally, I cannot imagine a good case for writing a new SVC these days. Rob Scott Lead Developer Rocket Software 275 Grove Street * Newton, MA 02466-2272 * USA Tel: +1.617.614.2305 Email: rsc...@rs.com Web: www.rocketsoftware.com -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Lindy Mayfield Sent: 22 December 2010 12:48 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function If I use an SVC, is this true? If the SVC does something or returns some information that needs to be protected, then I need to use RACF to decide who can call it or who cannot? And everyone said not to use a magic SVC, and I get that. But if that SVC is also protected by RACF, is it at all a viable solution? Lindy -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Rob Scott Sent: Tuesday, April 15, 2008 7:29 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function Call an SVC that flips the JSCBAUTH bit back on. This is non-standard. If it is to be implemented even on a development system then added security needs to be built in to make sure it isn't misused. Do NOT go there. It will bite you in the a** - maybe not today - but someday. Your real options depend on whether you have a server address space or not : (a) You have a server address space Use PC-ss to execute auth function or to request server collect data on your behalf. (b) You do not have a server address space Use IKJEFTSR (daylight) Use SVC Rob Scott Rocket Software, Inc 275 Grove Street Newton, MA 02466 617-614-2305 rsc...@rs.com -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Lindy Mayfield Sent: 15 April 2008 17:19 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function For completeness, since I started this whole, ah, thing, I'm curious what they are. Here are the techniques I've learned so far, including the one that violates system integrity: __ The standard acceptable method is to call TSO/E Service Facility, IKJEFTSR and pass it the name of an authorized module. __ Call an SVC that flips the JSCBAUTH bit back on. This is non-standard. If it is to be implemented even on a development system then added security needs to be built in to make sure it isn't misused. __ Simply put all the authorized stuff into an SVC or PC routine. That's all I've collected so far. Are there more ways? Lindy -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Wayne Driscoll Sent: 15. huhtikuuta 2008 17:49 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function Just to expand on Walt's statement There are only a handful of ways of getting a program to start running authorized, even if the module comes from an APF-authorized library append that don't violate system integrity. Sure, there are numerous ways to make this work, but most of them have the side-effect that they leave the system in a compromised state. In a small development system this loss of integrity may be acceptable, but for production, or even larger development or test systems, this would not be. Wayne Driscoll Product Developer NOTE: All opinions are strictly my own. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu
Re: Authorized Rexx Assembler Function
Actually I was talking about both the magic svc and a normal SVC that may do authorized code. I don't want to do anything. I was simply recalling the different ways (some BAD) to run authorized stuff. It started by a discussion on the Rexx list, someone (for whatever reason) wanted to update the CVTUSER. Me, I'm just curious, and want to learn things. Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Rick Fochtman [rfocht...@ync.net] Sent: 22 December 2010 23:19 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function --snip- If I use an SVC, is this true? If the SVC does something or returns some information that needs to be protected, then I need to use RACF to decide who can call it or who cannot? And everyone said not to use a magic SVC, and I get that. But if that SVC is also protected by RACF, is it at all a viable solution? ---unsnip Any so-called Magic SVC is going to be hard to protect via RACF; the necessary code, blocks, etc. might get rather cumbersome. Using established APF mechanisms might be sufficient. But if you use the established mechanisms, you can bypass any magic SVC stuff right from the get-go. And since you and the rest of the Systems staff SHOULD be controlling ALL non-System APF code, you should be able to exercise complete control. If you are returning information that needs to be protected from other users, keeping it in your own address space should provide pretty good security. How many comman applications use cross-memory services, and how many application programmers even understand what cross-memory services can or cannot do? It might be helpful if you could detail exactly what you wish to accomplish. ?? Rick -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
yes, i have a list and DO NOT is on it. :-) You guys have made that perfectly clear. In my mind a magic SVC or any flipping of that bit is lazy programming. In my mind I cannot think of any use for such a thing. I apologize. I read your last sentence many times, and it is a complex one. Could you explain a bit more? I'm just asking to learn. If I give an example, maybe you can tell me if I am off base. In my mind I was thinking that an SVC may do something authorize, maybe a RACF check. But it would be called only by an unauthorized assembler program. From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Peter Relson [rel...@us.ibm.com] Sent: 23 December 2010 16:00 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function Call an SVC that flips the JSCBAUTH bit back on. DO NOT DO THIS. In the general case there is no way to do this without introducing system integrity problems. And also do not use an SVC to return control to an unauthorized caller in an authorized state. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
I hate to think of it, but someday you guys will be busy enjoying your retirements, and little boys like me will need to grow up. :-) Most happy of holidays to my IBM-MAIN friends. Hyvää joulua ja onnellista uutta vuotta Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Shmuel Metz (Seymour J.) [shmuel+ibm-m...@patriot.net] Sent: 22 December 2010 15:51 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function An SVC that checks SAF and performs a narrowly delimited function if authorized is fine. An SVC that turns on JSCBAUTH is an invitation to disaster. There is a mechanism for switching an address space between authorized and unauthorized use, but the people with enough experience to use it safely already know about it. -- Shmuel (Seymour J.) Metz, SysProg and JOAT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Why on earth would one write an SVC to put an address into authorized state when the SVC can do authorized stuff already. I know that it isn't right. Everyone says very clearly NOT to do it. Besides the obvious, as Peter has pointed out, it is just something that you don't do, it is simply violating the rules of the system. I get that. Maybe that is simply enough reason. Racf or not. And, in my opinion (as a complete novice), a sandbox is no excuse. There was a Rexx assembler function that wrote SMF records. And it used the magic SVC. I quite easily converted it to use BPXSMF, and with all the proper RACF authorization. I didn't have to make _that_ many changes. My question was that if you have an SVC that does stuff, can it use RACF to check if a user has permissions? Based on your kind replies to my query, the answer is yes. One of these days I'll write my first PC routine. And you guys will very kindly help me. :-) (I hope) //*Lindy From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Shmuel Metz (Seymour J.) [shmuel+ibm-m...@patriot.net] Sent: 22 December 2010 15:51 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function An SVC that checks SAF and performs a narrowly delimited function if authorized is fine. An SVC that turns on JSCBAUTH is an invitation to disaster. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
My question was that if you have an SVC that does stuff, can it use RACF to check if a user has permissions? Based on your kind replies to my query, the answer is yes. Yes, it isn't just for dataset security. You can ask security questions about any logical resource, even ones you make up yourself. RACF and ACF2 and TopSecret are all called via the same macro (RACROUTE) and they all allow you to ask varieties of essentially the same question: Can user X, do action Y, to resource Z?. So as long as you can correctly formulate the question you want answered in your SVC or PC routine, it doesn't matter which underlying security manager is present. The answer that comes back is one of yes, no, or maybe. How you interpret the answer is up to you. And yes, if you're doing anything non-trivial, using the security manager is a very good idea. As a sidebar comment, if you're tossing up between a PC and an SVC, you're better off with a PC. Either way you have a non-trivial amount of work to get it set up and manage it. You will have lots of questions... -- This email might be from the artist formerly known as CC (or not) You be the judge. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
I'll just point out that Type 1 and Type 6 SVC's cannot themselves issue SVC calls (i.e. call RACF). Doesn't matter if your SVC just lives in LPA. Merry Solstice, Ant. Thompson Northern Territory Government, Australia -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Chris Craddock Sent: Friday, 24 December 2010 7:08 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function My question was that if you have an SVC that does stuff, can it use RACF to check if a user has permissions? Based on your kind replies to my query, the answer is yes. Yes, it isn't just for dataset security. You can ask security questions about any logical resource, even ones you make up yourself. RACF and ACF2 and TopSecret are all called via the same macro (RACROUTE) and they all allow you to ask varieties of essentially the same question: Can user X, do action Y, to resource Z?. So as long as you can correctly formulate the question you want answered in your SVC or PC routine, it doesn't matter which underlying security manager is present. The answer that comes back is one of yes, no, or maybe. How you interpret the answer is up to you. And yes, if you're doing anything non-trivial, using the security manager is a very good idea. As a sidebar comment, if you're tossing up between a PC and an SVC, you're better off with a PC. Either way you have a non-trivial amount of work to get it set up and manage it. You will have lots of questions... -- This email might be from the artist formerly known as CC (or not) You be the judge. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
On Fri, 24 Dec 2010 07:50:12 +0930 Anthony Thompson anthony.thomp...@nt.gov.au wrote: :I'll just point out that Type 1 and Type 6 SVC's cannot themselves issue SVC calls (i.e. call RACF). Doesn't matter if your SVC just lives in LPA. They can't do FASTAUTH? -- Binyamin Dissen bdis...@dissensoftware.com http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Type 1/6 can't XCTL either, so I suspect not, let alone the associated fastauth exit. You're welcome to try tho. Ant. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Binyamin Dissen Sent: Friday, 24 December 2010 8:09 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function On Fri, 24 Dec 2010 07:50:12 +0930 Anthony Thompson anthony.thomp...@nt.gov.au wrote: :I'll just point out that Type 1 and Type 6 SVC's cannot themselves issue SVC calls (i.e. call RACF). Doesn't matter if your SVC just lives in LPA. They can't do FASTAUTH? -- Binyamin Dissen bdis...@dissensoftware.com http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
I am so so lucky to have a copy of Cannetello's book. It is dog eared and worn. But it is mine. I so wish he would update it. It is a classic. But as for SVC routines, he explains them quite well. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Anthony Thompson Sent: Friday, December 24, 2010 12:46 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function Type 1/6 can't XCTL either, so I suspect not, let alone the associated fastauth exit. You're welcome to try tho. Ant. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Binyamin Dissen Sent: Friday, 24 December 2010 8:09 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function On Fri, 24 Dec 2010 07:50:12 +0930 Anthony Thompson anthony.thomp...@nt.gov.au wrote: :I'll just point out that Type 1 and Type 6 SVC's cannot themselves issue SVC calls (i.e. call RACF). Doesn't matter if your SVC just lives in LPA. They can't do FASTAUTH? -- Binyamin Dissen bdis...@dissensoftware.com http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
I've never previously heard of Cannetello. Appalled by my own ignorance, I promptly Google'd the name and discovered the following on Amazon.com. Advanced Assembler Language and MVS Interfaces: For IBM Systems and Application Programmers [Paperback] Carmine A. Cannatello (Author). Four used copies available, priced from $180-ish. Written back in mid-1999 so somewhat dated, but still looks like a very useful reference. Ant. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Lindy Mayfield Sent: Friday, 24 December 2010 10:51 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function I am so so lucky to have a copy of Cannetello's book. It is dog eared and worn. But it is mine. I so wish he would update it. It is a classic. But as for SVC routines, he explains them quite well. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Anthony Thompson Sent: Friday, December 24, 2010 12:46 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function Type 1/6 can't XCTL either, so I suspect not, let alone the associated fastauth exit. You're welcome to try tho. Ant. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Binyamin Dissen Sent: Friday, 24 December 2010 8:09 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function On Fri, 24 Dec 2010 07:50:12 +0930 Anthony Thompson anthony.thomp...@nt.gov.au wrote: :I'll just point out that Type 1 and Type 6 SVC's cannot themselves issue SVC calls (i.e. call RACF). Doesn't matter if your SVC just lives in LPA. They can't do FASTAUTH? -- Binyamin Dissen bdis...@dissensoftware.com http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
I've got over 15 years left until retirement, so I ain't goin' anywhere anytime soon ;-( Merry Whozawhatz and a Happy Whatchmacallit! On Thu, Dec 23, 2010 at 4:00 PM, Lindy Mayfield lindy.mayfi...@ssf.sas.comwrote: I hate to think of it, but someday you guys will be busy enjoying your retirements, and little boys like me will need to grow up. :-) Most happy of holidays to my IBM-MAIN friends. Hyvää joulua ja onnellista uutta vuotta Lindy CONFIDENTIALITY/EMAIL NOTICE: The material in this transmission contains confidential and privileged information intended only for the addressee. If you are not the intended recipient, please be advised that you have received this material in error and that any forwarding, copying, printing, distribution, use or disclosure of the material is strictly prohibited. If you have received this material in error, please (i) do not read it, (ii) reply to the sender that you received the message in error, and (iii) erase or destroy the material. Emails are not secure and can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by email. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
At 11:00 -0500 on 12/23/2010, Shmuel Metz (Seymour J.) wrote about Re: Authorized Rexx Assembler Function: Just once I would like to encounter an auditor experienced enough to find real problems before they can bite me, instead of reading a worthless cookbook. Most of them that I have run into are of that incompetent type. They fail to have what I feel to be the primary qualification to be an auditor - The ability to do (or better the experience of having done) the job that they are supposed to audit. Anyone who just works off a check list of things to look for or gripe about should be terminated (possibly with Extreme Prejudice g) from their assignment as soon as they show their inability to perform their job (IOW: You tell the Auditing Firm/Department that you want someone who is qualified to conduct the audit that you are paying for). A Financial Auditor is supposed to be a CPA, so why are Computer Auditors not required to be qualified System Programmers? This is, of course, if your goal for the audit is to actually get a valid critique of your procedures not just a meaningless report that you can wave around to say We Were Audited and Passed to meet some certification requirement. Too often the Audit is for that later purpose so the less competent the Auditor the better (so long as you can prove that you met the cookbook designated criteria). -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
At 22:15 +0100 on 12/23/2010, Lindy Mayfield wrote about Re: Authorized Rexx Assembler Function: Why on earth would one write an SVC to put an address into authorized state when the SVC can do authorized stuff already. Because it is simpler to have a single function SVC to authorize the caller so that the caller can do what it needs to be authorized to do then to do all the different things that the caller needs to do in the SVC. This is why you write different programs than have a single one size fits all program that does everything. Note: I am not agreeing with the need for the Magic SVC but only answering your query about what use it can serve. It bypasses the need to go through the hassle and paper work to get the processing program APF-Authorized and placed into an APF authorized library (all the Magic SVC does is place the program in the same site as it would be if linked and loaded as APF Authorized [ignoring any SubPool or Key differences). As to the need for a Magic SVC, I may be wrong but I have a vague memory of an IBM supplied program (possibly in the MVS days) that had (or needed) a Magic SVC to do one of its functions. I am flashing on it being ISPF and the need to call IEBCOPY to compress/copy PDSs although this impression of who it was may be wrong. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
On 12/23/2010 9:19 PM, Robert A. Rosenberg wrote: Anyone who just works off a check list of things to look for or gripe about should be terminated (possibly with Extreme Prejudice g) from their assignment as soon as they show their inability to perform their job (IOW: You tell the Auditing Firm/Department that you want someone who is qualified to conduct the audit that you are paying for). A Financial Auditor is supposed to be a CPA, so why are Computer Auditors not required to be qualified System Programmers? Be careful what you wish for - your next auditor may have taken all the Microsoft courses and know everything about computer systems, and nag you to do things the MS way G Gerhard Postpischil Bradford, VT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
If I use an SVC, is this true? If the SVC does something or returns some information that needs to be protected, then I need to use RACF to decide who can call it or who cannot? And everyone said not to use a magic SVC, and I get that. But if that SVC is also protected by RACF, is it at all a viable solution? Lindy -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Rob Scott Sent: Tuesday, April 15, 2008 7:29 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function Call an SVC that flips the JSCBAUTH bit back on. This is non-standard. If it is to be implemented even on a development system then added security needs to be built in to make sure it isn't misused. Do NOT go there. It will bite you in the a** - maybe not today - but someday. Your real options depend on whether you have a server address space or not : (a) You have a server address space Use PC-ss to execute auth function or to request server collect data on your behalf. (b) You do not have a server address space Use IKJEFTSR (daylight) Use SVC Rob Scott Rocket Software, Inc 275 Grove Street Newton, MA 02466 617-614-2305 rsc...@rs.com -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Lindy Mayfield Sent: 15 April 2008 17:19 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function For completeness, since I started this whole, ah, thing, I'm curious what they are. Here are the techniques I've learned so far, including the one that violates system integrity: __ The standard acceptable method is to call TSO/E Service Facility, IKJEFTSR and pass it the name of an authorized module. __ Call an SVC that flips the JSCBAUTH bit back on. This is non-standard. If it is to be implemented even on a development system then added security needs to be built in to make sure it isn't misused. __ Simply put all the authorized stuff into an SVC or PC routine. That's all I've collected so far. Are there more ways? Lindy -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Wayne Driscoll Sent: 15. huhtikuuta 2008 17:49 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function Just to expand on Walt's statement There are only a handful of ways of getting a program to start running authorized, even if the module comes from an APF-authorized library append that don't violate system integrity. Sure, there are numerous ways to make this work, but most of them have the side-effect that they leave the system in a compromised state. In a small development system this loss of integrity may be acceptable, but for production, or even larger development or test systems, this would not be. Wayne Driscoll Product Developer NOTE: All opinions are strictly my own. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
In 0377b9a583fd0e4aacd676ee33ee994b486ae...@sdkmail13.emea.sas.com, on 12/22/2010 at 01:47 PM, Lindy Mayfield lindy.mayfi...@ssf.sas.com said: If I use an SVC, is this true? If the SVC does something or returns some information that needs to be protected, then I need to use RACF to decide who can call it or who cannot? And everyone said not to use a magic SVC, and I get that. But if that SVC is also protected by RACF, is it at all a viable solution? An SVC that checks SAF and performs a narrowly delimited function if authorized is fine. An SVC that turns on JSCBAUTH is an invitation to disaster. There is a mechanism for switching an address space between authorized and unauthorized use, but the people with enough experience to use it safely already know about it. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Lindy Why use an SVC? What is wrong with IKJEFTSR? If you *must* use a SVC to perform some sort of discrete auth-function for an unauth caller, then it would be responsible to provide some sort of SAF check to ensure the caller is allowed. I am assuming here that your SVC is returning to the caller in exactly the same state as when called - do NOT attempt to flip JSCBAUTH or any other auth-boost using an SVC regardless of SAF check being present or not. Personally, I cannot imagine a good case for writing a new SVC these days. Rob Scott Lead Developer Rocket Software 275 Grove Street * Newton, MA 02466-2272 * USA Tel: +1.617.614.2305 Email: rsc...@rs.com Web: www.rocketsoftware.com -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Lindy Mayfield Sent: 22 December 2010 12:48 To: IBM-MAIN@bama.ua.edu Subject: Re: Authorized Rexx Assembler Function If I use an SVC, is this true? If the SVC does something or returns some information that needs to be protected, then I need to use RACF to decide who can call it or who cannot? And everyone said not to use a magic SVC, and I get that. But if that SVC is also protected by RACF, is it at all a viable solution? Lindy -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Rob Scott Sent: Tuesday, April 15, 2008 7:29 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function Call an SVC that flips the JSCBAUTH bit back on. This is non-standard. If it is to be implemented even on a development system then added security needs to be built in to make sure it isn't misused. Do NOT go there. It will bite you in the a** - maybe not today - but someday. Your real options depend on whether you have a server address space or not : (a) You have a server address space Use PC-ss to execute auth function or to request server collect data on your behalf. (b) You do not have a server address space Use IKJEFTSR (daylight) Use SVC Rob Scott Rocket Software, Inc 275 Grove Street Newton, MA 02466 617-614-2305 rsc...@rs.com -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Lindy Mayfield Sent: 15 April 2008 17:19 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function For completeness, since I started this whole, ah, thing, I'm curious what they are. Here are the techniques I've learned so far, including the one that violates system integrity: __ The standard acceptable method is to call TSO/E Service Facility, IKJEFTSR and pass it the name of an authorized module. __ Call an SVC that flips the JSCBAUTH bit back on. This is non-standard. If it is to be implemented even on a development system then added security needs to be built in to make sure it isn't misused. __ Simply put all the authorized stuff into an SVC or PC routine. That's all I've collected so far. Are there more ways? Lindy -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Wayne Driscoll Sent: 15. huhtikuuta 2008 17:49 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function Just to expand on Walt's statement There are only a handful of ways of getting a program to start running authorized, even if the module comes from an APF-authorized library append that don't violate system integrity. Sure, there are numerous ways to make this work, but most of them have the side-effect that they leave the system in a compromised state. In a small development system this loss of integrity may be acceptable, but for production, or even larger development or test systems, this would not be. Wayne Driscoll Product Developer NOTE: All opinions are strictly my own. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
--snip- If I use an SVC, is this true? If the SVC does something or returns some information that needs to be protected, then I need to use RACF to decide who can call it or who cannot? And everyone said not to use a magic SVC, and I get that. But if that SVC is also protected by RACF, is it at all a viable solution? ---unsnip Any so-called Magic SVC is going to be hard to protect via RACF; the necessary code, blocks, etc. might get rather cumbersome. Using established APF mechanisms might be sufficient. But if you use the established mechanisms, you can bypass any magic SVC stuff right from the get-go. And since you and the rest of the Systems staff SHOULD be controlling ALL non-System APF code, you should be able to exercise complete control. If you are returning information that needs to be protected from other users, keeping it in your own address space should provide pretty good security. How many comman applications use cross-memory services, and how many application programmers even understand what cross-memory services can or cannot do? It might be helpful if you could detail exactly what you wish to accomplish. ?? Rick -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
On Sun, 27 Apr 2008 20:51:39 +0200, Lindy Mayfield [EMAIL PROTECTED] wrote: Not to overbeat this dead horse, but I thought I'd add another one to the list here of ways to call authorized commands from TSO or Rexx. By adding an authorized module name (in authorized library) to the IKJTSOxx AUTHCMD list and calling it from TSO or Rexx. CALL *(authmodule). I believe you would use AUTHPGM if you wanted to enable use of CALL, Lindy. AUTHCMD supplies the name of programs that run as command processors, not called programs. This approach just provides a more external way of using IKJEFTSR, by the way, as it will get control under the covers to invoke the program. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Not to overbeat this dead horse, but I thought I'd add another one to the list here of ways to call authorized commands from TSO or Rexx. By adding an authorized module name (in authorized library) to the IKJTSOxx AUTHCMD list and calling it from TSO or Rexx. CALL *(authmodule). It only kinda sorta fits because it really isn't a Rexx or TSO function per se and other than passing information to it through a file and retrieving the results from a file (or PUTLINEs) I can't think of any better way to interact with it. (Nothing better than the TSO service routine that is). Lindy -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Edward Jaffe Sent: 15. huhtikuuta 2008 20:42 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function Lindy Mayfield wrote: For completeness, since I started this whole, ah, thing, I'm curious what they are. Here are the techniques I've learned so far, including the one that violates system integrity: __ The standard acceptable method is to call TSO/E Service Facility, IKJEFTSR and pass it the name of an authorized module. __ Call an SVC that flips the JSCBAUTH bit back on. This is non-standard. If it is to be implemented even on a development system then added security needs to be built in to make sure it isn't misused. I don't believe it's possible to add security to ensure this method doesn't get misused. (I'm almost sorry you posted it as an option.) The whole issue of validating the SVC caller is a hairy one. And, the requirements -- for example, to not even preserve a single register or storage address across the call -- are onerous. But, even more of a problem is the idea of setting JSCBAUTH. That flag affects all TCBs in the job step tree. It would be a fairly trivial matter for a savvy programmer to ATTACH a TCB that loops waiting for this flag to be turned on by the SVC running your code in another TCB. To protect against this, you would essentially have to make all TCBs in the address space non-dispatchable *before* JSCBAUTH was turned on. And, leave things that way until after JSCBAUTH is turned off again. This is not unlike what is done with IKJEFTSR. Your program runs under the authorized leg of the TMP. All unauthorized TCBs are made non-dispatchable while the authorized code runs. Keep in mind that similar integrity issues apply to any action that offers additional privilege to unauthorized work running asynchronously in the address space. For example, AXSET. __ Simply put all the authorized stuff into an SVC or PC routine. That's all I've collected so far. Are there more ways? Lindy -- Edward E Jaffe Phoenix Software International, Inc 5200 W Century Blvd, Suite 800 Los Angeles, CA 90045 310-338-0400 x318 [EMAIL PROTECTED] http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
I can't think of any, but Alex can, thanks. IKJCT441. I forgot, it has such a memorable name. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Lindy Mayfield Sent: 27. huhtikuuta 2008 21:52 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function other than passing information to it through a file and retrieving the results from a file (or PUTLINEs) I can't think of any better way to interact with it. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
On Tue, 15 Apr 2008 19:15:33 -0400 Craddock, Chris [EMAIL PROTECTED] wrote: :Binyamin said : :That's all I've collected so far. Are there more ways? : DEBAPFIN : SVC screening. :Pardon? Modifying the APF bit isn't going to do you any good in an :address space that is already running since AC(1) is only relevant for :job step tasks. You would have to already be running in key zero to :alter it after the fact anyway, so chicken meets egg. It will allow you to run programs from an unauthorized library if you are authorized. :Likewise with SVC screening; That requires building an SVC screening :table in LSQA and storing the address of the SVC screen table in the :TCB, so again it would require pre-conditioning by a key zero supervisor :state program. It allows a specific non-authorized task to issue MODESET without impacting any other task. :AFAICT the OP wants to know how to run a Rexx exec in an authorized :state so it can in turn call compiled code that requires authorization. :Leaving aside the advisability of doing that, if it was going to require :a serious amount of setup ahead of time, then why not just wrap the :necessary functions inside of a PC or SVC and be done with it? That is the best approach. -- Binyamin Dissen [EMAIL PROTECTED] http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
In [EMAIL PROTECTED], on 04/15/2008 at 06:19 PM, Lindy Mayfield [EMAIL PROTECTED] said: __ Call an SVC that flips the JSCBAUTH bit back on. This is non-standard. If it is to be implemented even on a development system then added security needs to be built in to make sure it isn't misused. I've yet to see one that didn't have security holes. __ Simply put all the authorized stuff into an SVC or PC routine. With adequate validation and security controls. Are there more ways? Probably; I prefer getting IBM to plug them even though that prevents me from exploiting them. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
In [EMAIL PROTECTED], on 04/15/2008 at 07:05 PM, Craddock, Chris [EMAIL PROTECTED] said: None that can be discussed in polite company :-) What if the discussion simply states that the details are in the part of the PMR that only IBM can see and that I won't discuss them until the fix has been out long enough that the hole is no longer an issue? And, no, saying I want a pony won't budge me from that position ;-) -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Tom Marchant wrote: I don't see how it really helps on a sandbox. What's so hard about adding your test library to the APF list? There are numerous reasons, but at my last job before retirement I worked at an ISV writing and maintaining system utilities. They had a library of all IBM documentation, and the ISV's products, but nothing else was documented. I had to find tape drive generics and addresses by word of mouth; there were some IBM and CBT add-ons, but not documented, so I had to discover them by trial and error! Of necessity we were privileged to do just about anything, but anything that smacked of a system change, unless required to run a product, was a no-no. I guess they wanted to keep the system as close to vanilla as possible? The systems group wasn't really supportive unless you had a real problem (e.g., I discovered an 0C4 trying to load a recovery data set in ISPF Edit; that was researched and fixed promptly). The work was technically challenging, but I've had better jobs. Gerhard Postpischil Bradford, VT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
On Mon, 14 Apr 2008 10:44:31 -0400, Gerhard Postpischil [EMAIL PROTECTED] wrote: Walt Farrell wrote: That would allow an authorized program to load a module from an otherwise unauthorized STEPLIB. It won't let you actually start running something as APF authorized, though. Getting something to start running authorized requires use of a function like IKJEFTSR, or TESTAUTH. While I haven't tried this under z/OS, I can assure you that it works quite well under all earlier systems I used it on, from MVS to OS/390. Then there's something else you're doing to get the programs running that you're not telling us about, Gerhard. Simply creating an authorized STEPLIB won't do it. There are only a handful of ways of getting a program to start running authorized, even if the module comes from an APF-authorized library. And using address linkpgm in REXX won't do it. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Just to expand on Walt's statement There are only a handful of ways of getting a program to start running authorized, even if the module comes from an APF-authorized library append that don't violate system integrity. Sure, there are numerous ways to make this work, but most of them have the side-effect that they leave the system in a compromised state. In a small development system this loss of integrity may be acceptable, but for production, or even larger development or test systems, this would not be. Wayne Driscoll Product Developer NOTE: All opinions are strictly my own. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Walt Farrell Sent: Tuesday, April 15, 2008 9:03 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function On Mon, 14 Apr 2008 10:44:31 -0400, Gerhard Postpischil [EMAIL PROTECTED] wrote: Walt Farrell wrote: That would allow an authorized program to load a module from an otherwise unauthorized STEPLIB. It won't let you actually start running something as APF authorized, though. Getting something to start running authorized requires use of a function like IKJEFTSR, or TESTAUTH. While I haven't tried this under z/OS, I can assure you that it works quite well under all earlier systems I used it on, from MVS to OS/390. Then there's something else you're doing to get the programs running that you're not telling us about, Gerhard. Simply creating an authorized STEPLIB won't do it. There are only a handful of ways of getting a program to start running authorized, even if the module comes from an APF-authorized library. And using address linkpgm in REXX won't do it. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
For completeness, since I started this whole, ah, thing, I'm curious what they are. Here are the techniques I've learned so far, including the one that violates system integrity: __ The standard acceptable method is to call TSO/E Service Facility, IKJEFTSR and pass it the name of an authorized module. __ Call an SVC that flips the JSCBAUTH bit back on. This is non-standard. If it is to be implemented even on a development system then added security needs to be built in to make sure it isn't misused. __ Simply put all the authorized stuff into an SVC or PC routine. That's all I've collected so far. Are there more ways? Lindy -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Wayne Driscoll Sent: 15. huhtikuuta 2008 17:49 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function Just to expand on Walt's statement There are only a handful of ways of getting a program to start running authorized, even if the module comes from an APF-authorized library append that don't violate system integrity. Sure, there are numerous ways to make this work, but most of them have the side-effect that they leave the system in a compromised state. In a small development system this loss of integrity may be acceptable, but for production, or even larger development or test systems, this would not be. Wayne Driscoll Product Developer NOTE: All opinions are strictly my own. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Call an SVC that flips the JSCBAUTH bit back on. This is non-standard. If it is to be implemented even on a development system then added security needs to be built in to make sure it isn't misused. Do NOT go there. It will bite you in the a** - maybe not today - but someday. Your real options depend on whether you have a server address space or not : (a) You have a server address space Use PC-ss to execute auth function or to request server collect data on your behalf. (b) You do not have a server address space Use IKJEFTSR (daylight) Use SVC Rob Scott Rocket Software, Inc 275 Grove Street Newton, MA 02466 617-614-2305 [EMAIL PROTECTED] -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Lindy Mayfield Sent: 15 April 2008 17:19 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function For completeness, since I started this whole, ah, thing, I'm curious what they are. Here are the techniques I've learned so far, including the one that violates system integrity: __ The standard acceptable method is to call TSO/E Service Facility, IKJEFTSR and pass it the name of an authorized module. __ Call an SVC that flips the JSCBAUTH bit back on. This is non-standard. If it is to be implemented even on a development system then added security needs to be built in to make sure it isn't misused. __ Simply put all the authorized stuff into an SVC or PC routine. That's all I've collected so far. Are there more ways? Lindy -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Wayne Driscoll Sent: 15. huhtikuuta 2008 17:49 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function Just to expand on Walt's statement There are only a handful of ways of getting a program to start running authorized, even if the module comes from an APF-authorized library append that don't violate system integrity. Sure, there are numerous ways to make this work, but most of them have the side-effect that they leave the system in a compromised state. In a small development system this loss of integrity may be acceptable, but for production, or even larger development or test systems, this would not be. Wayne Driscoll Product Developer NOTE: All opinions are strictly my own. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Lindy Mayfield wrote: For completeness, since I started this whole, ah, thing, I'm curious what they are. Here are the techniques I've learned so far, including the one that violates system integrity: __ The standard acceptable method is to call TSO/E Service Facility, IKJEFTSR and pass it the name of an authorized module. __ Call an SVC that flips the JSCBAUTH bit back on. This is non-standard. If it is to be implemented even on a development system then added security needs to be built in to make sure it isn't misused. I don't believe it's possible to add security to ensure this method doesn't get misused. (I'm almost sorry you posted it as an option.) The whole issue of validating the SVC caller is a hairy one. And, the requirements -- for example, to not even preserve a single register or storage address across the call -- are onerous. But, even more of a problem is the idea of setting JSCBAUTH. That flag affects all TCBs in the job step tree. It would be a fairly trivial matter for a savvy programmer to ATTACH a TCB that loops waiting for this flag to be turned on by the SVC running your code in another TCB. To protect against this, you would essentially have to make all TCBs in the address space non-dispatchable *before* JSCBAUTH was turned on. And, leave things that way until after JSCBAUTH is turned off again. This is not unlike what is done with IKJEFTSR. Your program runs under the authorized leg of the TMP. All unauthorized TCBs are made non-dispatchable while the authorized code runs. Keep in mind that similar integrity issues apply to any action that offers additional privilege to unauthorized work running asynchronously in the address space. For example, AXSET. __ Simply put all the authorized stuff into an SVC or PC routine. That's all I've collected so far. Are there more ways? Lindy -- Edward E Jaffe Phoenix Software International, Inc 5200 W Century Blvd, Suite 800 Los Angeles, CA 90045 310-338-0400 x318 [EMAIL PROTECTED] http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
On Tue, 15 Apr 2008 18:19:08 +0200 Lindy Mayfield [EMAIL PROTECTED] wrote: :For completeness, since I started this whole, ah, thing, I'm curious :what they are. Here are the techniques I've learned so far, including :the one that violates system integrity: :__ The standard acceptable method is to call TSO/E Service Facility, :IKJEFTSR and pass it the name of an authorized module. :__ Call an SVC that flips the JSCBAUTH bit back on. This is :non-standard. If it is to be implemented even on a development system :then added security needs to be built in to make sure it isn't misused. :__ Simply put all the authorized stuff into an SVC or PC routine. :That's all I've collected so far. Are there more ways? DEBAPFIN SVC screening. -- Binyamin Dissen [EMAIL PROTECTED] http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
On Tue, 15 Apr 2008 18:19:08 +0200, Lindy Mayfield wrote: That's all I've collected so far. Are there more ways? BPX1EXM -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
__ The standard acceptable method is to call TSO/E Service Facility, IKJEFTSR and pass it the name of an authorized module. This is the simplest way to run an authorized command and it has the virtue that all of the other tasks in the address space are frozen while you're doing your thing, so it is quite a bit safer and less complicated than rolling your own via an SVC or PC. __ Call an SVC that flips the JSCBAUTH bit back on. This is non-standard. If it is to be implemented even on a development system then added security needs to be built in to make sure it isn't misused. It is impossible to do that without opening a giant hole. No amount of security in the world can prevent that from being hacked. Abandon hope! __ Simply put all the authorized stuff into an SVC or PC routine. Bingo. If you have the wherewithal to setup the SVC or PC then this is the preferred way to go, but it still places a significant burden on you to write your code carefully so that it doesn't end up violating integrity or security controls anyway. That's all I've collected so far. Are there more ways? None that can be discussed in polite company :-) CC -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Binyamin said :That's all I've collected so far. Are there more ways? DEBAPFIN SVC screening. Pardon? Modifying the APF bit isn't going to do you any good in an address space that is already running since AC(1) is only relevant for job step tasks. You would have to already be running in key zero to alter it after the fact anyway, so chicken meets egg. Likewise with SVC screening; That requires building an SVC screening table in LSQA and storing the address of the SVC screen table in the TCB, so again it would require pre-conditioning by a key zero supervisor state program. AFAICT the OP wants to know how to run a Rexx exec in an authorized state so it can in turn call compiled code that requires authorization. Leaving aside the advisability of doing that, if it was going to require a serious amount of setup ahead of time, then why not just wrap the necessary functions inside of a PC or SVC and be done with it? CC -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Pardon you? The DEBAPFIN is to mark a specific dataset APF, not the job step task. I use that bit setting in my SCVUPDTE TSO command to add a dynamic SVC from a library that needs to be APFed. I don't expect it to mark my job step task to be authorized except the time I set that bit knowing the fact that yes, I'm APF to set the bit just for the time to set DEBAPFIN in the DEB. We have a SVC call that sets the JSCBAUTH bit and we use it on our test systems. It's a quick way to test code that needs authorization to do whatever. After testing, we do the ligetimate thing for the code to run in a APF library or set it up to use IKJEFSTR on Production or write a legit SVC call. In other words, we don't use the magic SVC call in production--just for testing. I see nothing wrong in that. The magic SVC requires the caller to have some RACF authority and limited to a chosen few in my shop that can code at that level. George Fogg -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Craddock, Chris Sent: Tuesday, April 15, 2008 4:16 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function Binyamin said :That's all I've collected so far. Are there more ways? DEBAPFIN SVC screening. Pardon? Modifying the APF bit isn't going to do you any good in an address space that is already running since AC(1) is only relevant for job step tasks. You would have to already be running in key zero to alter it after the fact anyway, so chicken meets egg. Likewise with SVC screening; That requires building an SVC screening table in LSQA and storing the address of the SVC screen table in the TCB, so again it would require pre-conditioning by a key zero supervisor state program. AFAICT the OP wants to know how to run a Rexx exec in an authorized state so it can in turn call compiled code that requires authorization. Leaving aside the advisability of doing that, if it was going to require a serious amount of setup ahead of time, then why not just wrap the necessary functions inside of a PC or SVC and be done with it? CC -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Let me clarify my last post. I set the JSCBAUTH bit on our test system with a magic SVC just to set the DEBAPFIN bit in a specific DEB in my SVCUPDTE command. I have enough integerty to set JSCBAUTH for duration of the amount of code that needs to do whatever authorization I need to do then get out of authorization mode. I don't know of anyone in my group that doesn't do the same and I have seen their code to know they're not some jerk a** coder that needs to be restricted to not use our JSCBPASS SVC. Again, after testing, we code to specs for production without the magic SVC using normal conventional service calls supported by IBM and to make our auditors happy and satisified that we meet all SOX/auditing requirements on production systems. George Fogg -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of George Fogg Sent: Tuesday, April 15, 2008 9:38 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function Pardon you? The DEBAPFIN is to mark a specific dataset APF, not the job step task. I use that bit setting in my SCVUPDTE TSO command to add a dynamic SVC from a library that needs to be APFed. I don't expect it to mark my job step task to be authorized except the time I set that bit knowing the fact that yes, I'm APF to set the bit just for the time to set DEBAPFIN in the DEB. We have a SVC call that sets the JSCBAUTH bit and we use it on our test systems. It's a quick way to test code that needs authorization to do whatever. After testing, we do the ligetimate thing for the code to run in a APF library or set it up to use IKJEFSTR on Production or write a legit SVC call. In other words, we don't use the magic SVC call in production--just for testing. I see nothing wrong in that. The magic SVC requires the caller to have some RACF authority and limited to a chosen few in my shop that can code at that level. George Fogg -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Craddock, Chris Sent: Tuesday, April 15, 2008 4:16 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function Binyamin said :That's all I've collected so far. Are there more ways? DEBAPFIN SVC screening. Pardon? Modifying the APF bit isn't going to do you any good in an address space that is already running since AC(1) is only relevant for job step tasks. You would have to already be running in key zero to alter it after the fact anyway, so chicken meets egg. Likewise with SVC screening; That requires building an SVC screening table in LSQA and storing the address of the SVC screen table in the TCB, so again it would require pre-conditioning by a key zero supervisor state program. AFAICT the OP wants to know how to run a Rexx exec in an authorized state so it can in turn call compiled code that requires authorization. Leaving aside the advisability of doing that, if it was going to require a serious amount of setup ahead of time, then why not just wrap the necessary functions inside of a PC or SVC and be done with it? CC -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
On Fri, 11 Apr 2008 16:56:56 -0400, Gerhard Postpischil [EMAIL PROTECTED] wrote: Oops. I completely forgot - I have a modified version of the STEPLIB program, that has an optional APF operand to authorize the libraries. Once that's done the authorized programs will run correctly; it's a great time saver when debugging new or heavily modified programs, since it can be done out of a test library. That would allow an authorized program to load a module from an otherwise unauthorized STEPLIB. It won't let you actually start running something as APF authorized, though. Getting something to start running authorized requires use of a function like IKJEFTSR, or TESTAUTH. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Walt Farrell wrote: That would allow an authorized program to load a module from an otherwise unauthorized STEPLIB. It won't let you actually start running something as APF authorized, though. Getting something to start running authorized requires use of a function like IKJEFTSR, or TESTAUTH. While I haven't tried this under z/OS, I can assure you that it works quite well under all earlier systems I used it on, from MVS to OS/390. Obviously it's unfit for use on a production system, as the auditors would have fits, but it saves a lot of time on a sandbox. Gerhard Postpischil Bradford, VT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
On Mon, 14 Apr 2008 10:44:31 -0400, Gerhard Postpischil wrote: Walt Farrell wrote: That would allow an authorized program to load a module from an otherwise unauthorized STEPLIB. It won't let you actually start running something as APF authorized, though. Getting something to start running authorized requires use of a function like IKJEFTSR, or TESTAUTH. While I haven't tried this under z/OS, I can assure you that it works quite well under all earlier systems I used it on, from MVS to OS/390. Obviously it's unfit for use on a production system, as the auditors would have fits, but it saves a lot of time on a sandbox. I don't see how it really helps on a sandbox. What's so hard about adding your test library to the APF list? -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
In [EMAIL PROTECTED], on 04/11/2008 at 03:35 PM, Lindy Mayfield [EMAIL PROTECTED] said: I wonder what I'm doing wrong (again). I made an assembler program that I call with Address LINKPGM. It's in the linklist, it's APF authorized, has the AC bit on, and listed in AUTHPGM in IKJTSO00. AC(1) is irrelevant except for ATTACH with RSAPF=YES, e.g., jobstep, authorized command. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Yes, an assembler function. And your idea about an authorized TSO command is a good. And probably much simpler and safer. Here is an example of what I could do, I think. EWSTTIM = Copies(0,26) /* force result length=26 */ TOD_val = X2c(EWST) Address linkpgm BLSUXTOD TOD_val EWSTTIM I'm not sure yet how BLSUXTOD stored the result in the last variable though. My guess is that it is not Rexx aware. Lindy -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Tony Harminc Sent: 10. huhtikuuta 2008 23:52 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function 2008/4/10 Lindy Mayfield [EMAIL PROTECTED]: Is there any way to create a Rexx function that runs authorized? Seems that when a Rexx function is called the JSCBAUTH is turned off. By Rexx function, do you mean a function written in Rexx, or one written (typically in assembler) as part of a function package? Although the doc is ambiguous, Rexx itself will happily run authorized, according to the usual APF rules. This does not mean in a TSO/E integrated environment, however. But you can set up a non-TSO/E Rexx environment and run Rexx programs in an authorized job step, and of course the Rexx program can then call a function or host command environment routine that does authorized stuff. Whether this is wise is a whole 'nuther question... However what I'm guessing you want is the ability to run a normal Rexx program ,and then have it call an assembler-written function that gets control in an authorized state, much the way you can issue an authorized TSO command. Well, not any straightforward way I know. Why not write an authorized TSO command, and invoke that from Rexx? I'm not sure if such a command can use the Rexx variable interface, but other than that, it should be able to run, do its APF thing, whatever that is, and pass back a small result, or stack a larger one. Tony H. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
In [EMAIL PROTECTED] [EMAIL PROTECTED], on 04/10/2008 at 02:06 PM, George Fogg [EMAIL PROTECTED] said: I've written several functions that require authorization. As far as I know, you cannot call an assembler function from REXX and have it run authorized, You can call an authorized command[1]. However, I'm not sure whether such a command can set REXX variables. PS: I have written assembler functions that set the JSCBAUTH bit on via a SVC call but that's not the normal way of doing things. Nor is it likely to pass a security audit. [1] Yes, I know that's not always as convenient. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
I wonder what I'm doing wrong (again). I made an assembler program that I call with Address LINKPGM. It's in the linklist, it's APF authorized, has the AC bit on, and listed in AUTHPGM in IKJTSO00. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Shmuel Metz (Seymour J.) Sent: 11. huhtikuuta 2008 3:15 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function In [EMAIL PROTECTED] [EMAIL PROTECTED], on 04/10/2008 at 02:06 PM, George Fogg [EMAIL PROTECTED] said: I've written several functions that require authorization. As far as I know, you cannot call an assembler function from REXX and have it run authorized, You can call an authorized command[1]. However, I'm not sure whether such a command can set REXX variables. PS: I have written assembler functions that set the JSCBAUTH bit on via a SVC call but that's not the normal way of doing things. Nor is it likely to pass a security audit. [1] Yes, I know that's not always as convenient. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Lindy Mayfield wrote: I wonder what I'm doing wrong (again). I made an assembler program that I call with Address LINKPGM. It's in the linklist, it's APF authorized, has the AC bit on, and listed in AUTHPGM in IKJTSO00. Are we supposed to guess the manner in which it doesn't work? 1) Does the invocation fail? 806? 2) Does it get invoked, but not authorized? 047? You didn't mention the system you're running, or what actions you took after running the link/binder, adding the name to TSO, etc. Did you refresh everything that needs it (LLA, etc.)? At worst case (and for an older system), did you try an IPL? Gerhard Postpischil Bradford, VT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
I'm so sorry! S047 at the MODESET SVC 107. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Gerhard Postpischil Sent: 11. huhtikuuta 2008 16:48 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function Lindy Mayfield wrote: I wonder what I'm doing wrong (again). I made an assembler program that I call with Address LINKPGM. It's in the linklist, it's APF authorized, has the AC bit on, and listed in AUTHPGM in IKJTSO00. Are we supposed to guess the manner in which it doesn't work? 1) Does the invocation fail? 806? 2) Does it get invoked, but not authorized? 047? You didn't mention the system you're running, or what actions you took after running the link/binder, adding the name to TSO, etc. Did you refresh everything that needs it (LLA, etc.)? At worst case (and for an older system), did you try an IPL? Gerhard Postpischil Bradford, VT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Are all libraries in the concatenation of the linklib in the APF list? If one isn't that may cause your issue. BTDT Daniel McLaughlin Z-Series Systems Programmer Information Communications Technology Crawford Company 4680 N. Royal Atlanta Tucker GA 30084 phone: 770-621-3256 fax: 770-621-3237 email: [EMAIL PROTECTED] web: www.crawfordandcompany.com IBM Mainframe Discussion List IBM-MAIN@BAMA.UA.EDU wrote on 04/11/2008 09:52:31 AM: -- Information from the mail header --- Sender: IBM Mainframe Discussion List IBM-MAIN@BAMA.UA.EDU Poster: Lindy Mayfield [EMAIL PROTECTED] Subject: Re: Authorized Rexx Assembler Function --- I'm so sorry! S047 at the MODESET SVC 107. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Gerhard Postpischil Sent: 11. huhtikuuta 2008 16:48 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function Lindy Mayfield wrote: I wonder what I'm doing wrong (again). I made an assembler program that I call with Address LINKPGM. It's in the linklist, it's APF authorized, has the AC bit on, and listed in AUTHPGM in IKJTSO00. Are we supposed to guess the manner in which it doesn't work? 1) Does the invocation fail? 806? 2) Does it get invoked, but not authorized? 047? You didn't mention the system you're running, or what actions you took after running the link/binder, adding the name to TSO, etc. Did you refresh everything that needs it (LLA, etc.)? At worst case (and for an older system), did you try an IPL? Gerhard Postpischil Bradford, VT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html Best Overall Third-Party Claims Administrator - 2007 Business Insurance Readers Choice Awards Consider the environment before printing this message. This transmission is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is confidential, proprietary, privileged or otherwise exempt from disclosure. If you are not the named addressee, you are NOT authorized to read, print, retain, copy or disseminate this communication, its attachments or any part of them. If you have received this communication in error, please notify the sender immediately and delete this communication from all computers. This communication does not form any contractual obligation on behalf of the sender, the sender's employer, or the employer's parent company, affiliates or subsidiaries. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Actually no, there are a few in there that aren't. Like SYS1.SORTLIB, for example. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Daniel McLaughlin Sent: 11. huhtikuuta 2008 16:55 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function Are all libraries in the concatenation of the linklib in the APF list? If one isn't that may cause your issue. BTDT Daniel McLaughlin Z-Series Systems Programmer Information Communications Technology Crawford Company 4680 N. Royal Atlanta Tucker GA 30084 phone: 770-621-3256 fax: 770-621-3237 email: [EMAIL PROTECTED] web: www.crawfordandcompany.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
On Fri, 11 Apr 2008 09:55:18 -0400, Daniel McLaughlin wrote: Are all libraries in the concatenation of the linklib in the APF list? If one isn't that may cause your issue. If the load library is being accessed through the LNKLST, it is ok to have libraries that are not APF. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Snipped: Actually no, there are a few in there that aren't. Like SYS1.SORTLIB, for example. I can only go on personal experience in that a concatenated series of libraries which are intermixed between APF and non-APF has caused me more than one S047 (SO47?) ABEND. Daniel McLaughlin Z-Series Systems Programmer Information Communications Technology Crawford Company 4680 N. Royal Atlanta Tucker GA 30084 phone: 770-621-3256 fax: 770-621-3237 email: [EMAIL PROTECTED] web: www.crawfordandcompany.com Best Overall Third-Party Claims Administrator - 2007 Business Insurance Readers Choice Awards Consider the environment before printing this message. This transmission is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is confidential, proprietary, privileged or otherwise exempt from disclosure. If you are not the named addressee, you are NOT authorized to read, print, retain, copy or disseminate this communication, its attachments or any part of them. If you have received this communication in error, please notify the sender immediately and delete this communication from all computers. This communication does not form any contractual obligation on behalf of the sender, the sender's employer, or the employer's parent company, affiliates or subsidiaries. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Tom Marchant wrote: On Fri, 11 Apr 2008 09:55:18 -0400, Daniel McLaughlin wrote: Are all libraries in the concatenation of the linklib in the APF list? If one isn't that may cause your issue. If the load library is being accessed through the LNKLST, it is ok to have libraries that are not APF. If LNKAUTH=LNKLST in IEASYSxx is being used then yes. -- Mark Jacobs Time Customer Service Tampa, FL We have a special climate-controlled room that keeps the worms at a low enough temerature so that they remain dormant. If the temperature varies by more than +-0.73K, the worms either freeze to death, or eat throught the CrTiAl alloy of the airlock doors. Dicey. -Branko Cibej [EMAIL PROTECTED], concerning the can of worms -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Ahif she is using STEPLIBthen APF gets involved for everyone, no? Daniel McLaughlin Z-Series Systems Programmer Information Communications Technology Crawford Company 4680 N. Royal Atlanta Tucker GA 30084 phone: 770-621-3256 fax: 770-621-3237 email: [EMAIL PROTECTED] web: www.crawfordandcompany.com IBM Mainframe Discussion List IBM-MAIN@BAMA.UA.EDU wrote on 04/11/2008 10:30:10 AM: -- Information from the mail header --- Sender: IBM Mainframe Discussion List IBM-MAIN@BAMA.UA.EDU Poster: Mark Jacobs [EMAIL PROTECTED] Organization: Time Customer Service Subject: Re: Authorized Rexx Assembler Function --- Tom Marchant wrote: On Fri, 11 Apr 2008 09:55:18 -0400, Daniel McLaughlin wrote: Are all libraries in the concatenation of the linklib in the APF list? If one isn't that may cause your issue. If the load library is being accessed through the LNKLST, it is ok to have libraries that are not APF. If LNKAUTH=LNKLST in IEASYSxx is being used then yes. -- Mark Jacobs Time Customer Service Tampa, FL We have a special climate-controlled room that keeps the worms at a low enough temerature so that they remain dormant. If the temperature varies by more than +-0.73K, the worms either freeze to death, or eat throught the CrTiAl alloy of the airlock doors. Dicey. -Branko Cibej [EMAIL PROTECTED], concerning the can of worms -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html Best Overall Third-Party Claims Administrator - 2007 Business Insurance Readers Choice Awards Consider the environment before printing this message. This transmission is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is confidential, proprietary, privileged or otherwise exempt from disclosure. If you are not the named addressee, you are NOT authorized to read, print, retain, copy or disseminate this communication, its attachments or any part of them. If you have received this communication in error, please notify the sender immediately and delete this communication from all computers. This communication does not form any contractual obligation on behalf of the sender, the sender's employer, or the employer's parent company, affiliates or subsidiaries. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
I really appreciate everyone's hints, advice and help. I checked, LNKAUTH=LNKLST is on. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Mark Jacobs Sent: 11. huhtikuuta 2008 17:30 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function Tom Marchant wrote: On Fri, 11 Apr 2008 09:55:18 -0400, Daniel McLaughlin wrote: Are all libraries in the concatenation of the linklib in the APF list? If one isn't that may cause your issue. If the load library is being accessed through the LNKLST, it is ok to have libraries that are not APF. If LNKAUTH=LNKLST in IEASYSxx is being used then yes. -- Mark Jacobs Time Customer Service Tampa, FL -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
I was running in batch with no STEPLIB just to make sure. (he) (-: -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Daniel McLaughlin Sent: 11. huhtikuuta 2008 17:34 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Authorized Rexx Assembler Function Ahif she is using STEPLIBthen APF gets involved for everyone, no? Daniel McLaughlin Z-Series Systems Programmer Information Communications Technology Crawford Company 4680 N. Royal Atlanta Tucker GA 30084 phone: 770-621-3256 fax: 770-621-3237 email: [EMAIL PROTECTED] web: www.crawfordandcompany.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
On Fri, 11 Apr 2008 10:30:10 -0400, Mark Jacobs wrote: Tom Marchant wrote: On Fri, 11 Apr 2008 09:55:18 -0400, Daniel McLaughlin wrote: Are all libraries in the concatenation of the linklib in the APF list? If one isn't that may cause your issue. If the load library is being accessed through the LNKLST, it is ok to have libraries that are not APF. If LNKAUTH=LNKLST in IEASYSxx is being used then yes. What? LNKAUTH=LNKLST means that every library in LNKLST is treated as being in the APF list when it is accessed through the LNKLST. LNKAUTH=APFTAB means that LNKSLT libraries are not authorized unless they are also in the APF list. It is perfectly to have some libraries in LNKLST authorized and some not, but that can only happen if you have LNKAUTH=APFTAB. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
On Fri, 11 Apr 2008 10:28:35 -0400, Daniel McLaughlin wrote: I can only go on personal experience in that a concatenated series of libraries which are intermixed between APF and non-APF has caused me more than one S047 (SO47?) ABEND. One non-APF library in a concatenation makes the whole concatenation unauthorized. But not so with LNKLST. It can be a mix of APF and non-APF libraries. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Lindy Mayfield wrote: I wonder what I'm doing wrong (again). I made an assembler program that I call with Address LINKPGM. It's in the linklist, it's APF authorized, has the AC bit on, and listed in AUTHPGM in IKJTSO00. There is an alternative to LINKPGM, but the name escapes me at the moment. It might be LINKMVS or AUTHMVS (I'd check a PDS member list of SYS1.LINKLIB)? It's been ten years, but when I worked at an ISV this was a standard way of handling things, provided all the details were taken care of. I do remember having to handle different formats for passing parameters, though. Gerhard Postpischil Bradford, VT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Gerhard Postpischil wrote: Lindy Mayfield wrote: I wonder what I'm doing wrong (again). I made an assembler program that I call with Address LINKPGM. It's in the linklist, it's APF authorized, has the AC bit on, and listed in AUTHPGM in IKJTSO00. There is an alternative to LINKPGM, but the name escapes me at the moment. It might be LINKMVS or AUTHMVS (I'd check a PDS member list of SYS1.LINKLIB)? It's been ten years, but when I worked at an ISV this was a standard way of handling things, provided all the details were taken care of. I do remember having to handle different formats for passing parameters, though. Gerhard Postpischil Bradford, VT There are these ways to invoke programs from REXX execs (aside from CALL): ADDRESS LINK ADDRESS ATTACH - passing a string, which may have variables substituted (if not in quotes) - received as R1 points to two words in memory 1st word points to a pointer to the string 2nd word points to the length as a fullword binary integer ADDRESS LINKMVS ADDRESS ATTCHMVS - pass multiple parameters as variables (substitution occurs even though the variables must be quoted) - received as R1 points to a list of pointers each pointer points to a half-word prefixed string, one for each variable passed, of course the last pointer has its leftmost bit turned on - the values of these parameters may be changed by the called program ADDRESS LINKPGM ADDRESS ATTCHPGM - pass multiple parameters as a quoted string of variables - received as R1 points to a list of pointers each pointer points to its corresponding parameter string * no length indicator - values may be changed by called program but, of course, no value may have its length changed ad We cover the above, with examples and labs in Assembler, COBOL, PL/I, and C in our 2 day course Introduction to TSO and REXX APIs (we don't over authorization issues) for more info, check out: http://www.trainersfriend.com/TSO_Clist_REXX_Dialog_Mgr/a780descrpt.htm /ad Kind regards, -Steve Comstock The Trainer's Friend, Inc. 303-393-8716 http://www.trainersfriend.com z/OS Application development made easier * Our classes include + How things work + Programming examples with realistic applications + Starter / skeleton code + Complete working programs + Useful utilities and subroutines + Tips and techniques == call or email to receive a free sample student handout == -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Gerhard Postpischil wrote: There is an alternative to LINKPGM, but the name escapes me at the moment. It might be LINKMVS or AUTHMVS (I'd check a PDS member list of SYS1.LINKLIB)? It's been ten years, but when I worked at an ISV this was a standard way of handling things, provided all the details were taken care of. I do remember having to handle different formats for passing parameters, though. You're thinking of LINKMVS/ATTCHMVS vs LINK/ATTACH and LINKPGM/ATTCHPGM. http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ikj4a370/2.5.9.1 http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ikj4a370/2.5.9.2 http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ikj4a370/2.5.9.3 None of these program linkage techniques will establish an authorized environment. -- Edward E Jaffe Phoenix Software International, Inc 5200 W Century Blvd, Suite 800 Los Angeles, CA 90045 310-338-0400 x318 [EMAIL PROTECTED] http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Edward Jaffe wrote: None of these program linkage techniques will establish an authorized environment. Oops. I completely forgot - I have a modified version of the STEPLIB program, that has an optional APF operand to authorize the libraries. Once that's done the authorized programs will run correctly; it's a great time saver when debugging new or heavily modified programs, since it can be done out of a test library. Gerhard Postpischil Bradford, VT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
It IS possible - but not straight-forword. You need to reearch the IKJEFTSR service as described in the TSO/E Programming Services guide. You assembler rexx function acts as a parser and function bridge and then uses IKJEFTSR to invoke your authorized function (normally in linklist) which returns data to your rexx function and then you return that back to the user. Rob Scott Rocket Software, Inc 275 Grove Street Newton, MA 02466 617-614-2305 [EMAIL PROTECTED] -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Lindy Mayfield Sent: 10 April 2008 20:48 To: IBM-MAIN@BAMA.UA.EDU Subject: Authorized Rexx Assembler Function It appears that this isn't possible but I wanted to triple check because while Googling I found some vague some references. Is there any way to create a Rexx function that runs authorized? Seems that when a Rexx function is called the JSCBAUTH is turned off. Thanks, Lindy -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Lindy Mayfield wrote: It appears that this isn't possible but I wanted to triple check because while Googling I found some vague some references. Is there any way to create a Rexx function that runs authorized? Seems that when a Rexx function is called the JSCBAUTH is turned off. Your REXX function is supposed to PC to a privileged routine to do privileged functions. -- Edward E Jaffe Phoenix Software International, Inc 5200 W Century Blvd, Suite 800 Los Angeles, CA 90045 310-338-0400 x318 [EMAIL PROTECTED] http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
Rob Scott wrote: It IS possible - but not straight-forword. You need to reearch the IKJEFTSR service as described in the TSO/E Programming Services guide. You assembler rexx function acts as a parser and function bridge and then uses IKJEFTSR to invoke your authorized function (normally in linklist) which returns data to your rexx function and then you return that back to the user. Darn! I should have said that! :-) -- Edward E Jaffe Phoenix Software International, Inc 5200 W Century Blvd, Suite 800 Los Angeles, CA 90045 310-338-0400 x318 [EMAIL PROTECTED] http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
2008/4/10 Lindy Mayfield [EMAIL PROTECTED]: Is there any way to create a Rexx function that runs authorized? Seems that when a Rexx function is called the JSCBAUTH is turned off. By Rexx function, do you mean a function written in Rexx, or one written (typically in assembler) as part of a function package? Although the doc is ambiguous, Rexx itself will happily run authorized, according to the usual APF rules. This does not mean in a TSO/E integrated environment, however. But you can set up a non-TSO/E Rexx environment and run Rexx programs in an authorized job step, and of course the Rexx program can then call a function or host command environment routine that does authorized stuff. Whether this is wise is a whole 'nuther question... However what I'm guessing you want is the ability to run a normal Rexx program ,and then have it call an assembler-written function that gets control in an authorized state, much the way you can issue an authorized TSO command. Well, not any straightforward way I know. Why not write an authorized TSO command, and invoke that from Rexx? I'm not sure if such a command can use the Rexx variable interface, but other than that, it should be able to run, do its APF thing, whatever that is, and pass back a small result, or stack a larger one. Tony H. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Authorized Rexx Assembler Function
It appears that this isn't possible but I wanted to triple check because while Googling I found some vague some references. Is there any way to create a Rexx function that runs authorized? Seems that when a Rexx function is called the JSCBAUTH is turned off. Thanks, Lindy I sent you an answer to your question on the TSO-REXX list but here it is again. I've written several functions that require authorization. As far as I know, you cannot call an assembler function from REXX and have it run authorized, however the assembler rouine can call IKJEFSTR with a program name that will run authorized. This authorized assembler program has to be marked as an authorized program in IKJTSO00 (and live in an APF library) by defining the program name in the IKJTSO00 AUTHPGM statement. For example, REXX exec A calls assm function B which in turn calls authorized program C (using IKJEFSTR services) to issue macros that require APF. The macros return data back to the caller C then program C passes data to function B then function B passes the data back to REXX exec A. If there is an easier way then I would like to know myself. Here's my SHARE proesentation given in Dallas 2003 on how write REXX assembler routines and the last part is how to call an authorized program to pass back data to the REXX caller. You need to be a SHARE member for logon and password. If not then I can send a PDF file. See: http://www.share.org/member_center/open_document.cfm?document=proceedings/Dallas_Conference/s2820.pdf (Watch the line fold) PS: I have written assembler functions that set the JSCBAUTH bit on via a SVC call but that's not the normal way of doing things. George Fogg -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
