supervisory state vs. authorized program

[GOODWIN, DIANE M.]

Hi all,
I'm a little confused - is there a difference (and if so, what is the
difference) between an assembler program that is in "supervisory state"
and an assembler program that is "authorized"?

Thanks in advance for your time.

Diane M. Goodwin
IT System Adminstration Specialist
Amica Insurance Company
email:  dgood...@amica.com

"I'm not a cynic.  I'm a disappointed optimist."  - George Carlin



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: supervisory state vs. authorized program

[Vernooij, CP - SPLXM]

"GOODWIN, DIANE M."  wrote in message
news:<33a9a3874f87c24aab996586c367def805bf2...@hoex01.amica.com>...
> Hi all,
> I'm a little confused - is there a difference (and if so, what is the
> difference) between an assembler program that is in "supervisory
state"
> and an assembler program that is "authorized"?
> 
> Thanks in advance for your time.
> 
> Diane M. Goodwin

If a program is APF authorized, it is allowed to execute 'authorized'
functions, a.o. put itself into 'supervisor state'.

Kees.

For information, services and offers, please visit our web site: 
http://www.klm.com. This e-mail and any attachment may contain confidential and 
privileged material intended for the addressee only. If you are not the 
addressee, you are notified that no part of the e-mail or any attachment may be 
disclosed, copied or distributed, and that any other action related to this 
e-mail or attachment is strictly prohibited, and may be unlawful. If you have 
received this e-mail by error, please notify the sender immediately by return 
e-mail, and delete this message. 

Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its 
employees shall not be liable for the incorrect or incomplete transmission of 
this e-mail or any attachments, nor responsible for any delay in receipt. 
Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch 
Airlines) is registered in Amstelveen, The Netherlands, with registered number 
33014286


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: supervisory state vs. authorized program

[Tony Lubrano]

Diane,

An authorized program is entered in problem state and has the ability to get 
into supervisor state using a MODESET macro.  

Even though the program is authorized, it is not allowed to execute certain 
priviledged instructions or invoke certain priviledged system services until it 
is in supervisor state.

So, from a 70k foot level, an authorized program runs like an unauthorized 
program until it enters supervisor state.

Tony Lubrano
Product Author
NEON Enterprise Software, LLC.
p: 281.207.4922 f: 281.207.4973

What is zPrime?  Find out at www.zprime.com or just ask us!

From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of 
GOODWIN, DIANE M. [dgood...@amica.com]
Sent: Tuesday, April 20, 2010 8:45 AM
To: IBM-MAIN@bama.ua.edu
Subject: supervisory state vs. authorized program

Hi all,
I'm a little confused - is there a difference (and if so, what is the
difference) between an assembler program that is in "supervisory state"
and an assembler program that is "authorized"?

Thanks in advance for your time.

Diane M. Goodwin
IT System Adminstration Specialist
Amica Insurance Company
email:  dgood...@amica.com

"I'm not a cynic.  I'm a disappointed optimist."  - George Carlin



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: supervisory state vs. authorized program

[Binyamin Dissen]

On Tue, 20 Apr 2010 09:45:07 -0400 "GOODWIN, DIANE M." 
wrote:

:>Hi all,
:>I'm a little confused - is there a difference (and if so, what is the
:>difference) between an assembler program that is in "supervisory state"
:>and an assembler program that is "authorized"?

An authorized program has the potential to get into supervisor state but will
0C2 on instructions that require supervisor state.

--
Binyamin Dissen 
http://www.dissensoftware.com

Director, Dissen Software, Bar & Grill - Israel


Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: supervisory state vs. authorized program

[Paul Gilmartin]

On Tue, 20 Apr 2010 16:56:46 +0300, Binyamin Dissen wrote:

>On Tue, 20 Apr 2010 09:45:07 -0400 "GOODWIN, DIANE M." wrote:
>
>:>I'm a little confused - is there a difference (and if so, what is the
>:>difference) between an assembler program that is in "supervisory state"
>:>and an assembler program that is "authorized"?
>
>An authorized program has the potential to get into supervisor state but will
>0C2 on instructions that require supervisor state.
>
Summarizing what no one has stated absolutely clearly yet, supervisor
state is a hardware state, controlled by a bit in the PSW; authorized
is a software state defined by flags set by the OS reflecting bits
in the load module and the library from which it was loaded.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: supervisory state vs. authorized program

[Tony Harminc]

On 20 April 2010 11:01, Paul Gilmartin  wrote:

> Summarizing what no one has stated absolutely clearly yet, supervisor
> state is a hardware state, controlled by a bit in the PSW; authorized
> is a software state defined by flags set by the OS reflecting bits
> in the load module and the library from which it was loaded.

Right. But it's a bit more muddled than that, because some operating
system services required that the caller be "authorized", but in many
cases this authorization can be APF authorization (regardless of what
machine state the program is running with), *or* being in supervisor
state. Often enough these services will also accept running in a
"system key" (generally a key < 8) as well.

The bottom line is that an APF authorized program can get itself into
supervisor state and/or a system key, and a program running in
supervisor state can do absolutely anything with the machine,
including reading or changing any data in main storage or on disk,
bypassing all security, and even stopping the entire complex.

Tony H.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: supervisory state vs. authorized program

[R.S.]

Tony Harminc pisze:

On 20 April 2010 11:01, Paul Gilmartin  wrote:


Summarizing what no one has stated absolutely clearly yet, supervisor
state is a hardware state, controlled by a bit in the PSW; authorized
is a software state defined by flags set by the OS reflecting bits
in the load module and the library from which it was loaded.


Right. But it's a bit more muddled than that, because some operating
system services required that the caller be "authorized", but in many
cases this authorization can be APF authorization (regardless of what
machine state the program is running with), *or* being in supervisor
state. Often enough these services will also accept running in a
"system key" (generally a key < 8) as well.


Isn't the APF prerequisite for both, supervisor state and key<8?
If yes, then such services simply require APF. Supervisor state include 
APF, so the "or" above is redundant.




The bottom line is that an APF authorized program can get itself into
supervisor state and/or a system key, and a program running in
supervisor state can do absolutely anything with the machine,
including reading or changing any data in main storage or on disk,
bypassing all security, and even stopping the entire complex.


[OT] IMHO the most dangerous is regular program running in problem state 
driven by idiot, who has authorization to change production data. 


--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w caoci 
wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z dnia 16 marca 
2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r., moe ulec 
podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym kapitale zakadowym 
BRE Banku SA bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: supervisory state vs. authorized program

[Wayne Driscoll]

Radoslaw,
It is possible to get into Supervisor State and/or system key without 
running APF authorized.  It happens all the time, via either an SVC 
routine, or via the PC routines anchored in the System Function Table 
(SVT).  If system functions always require APF authorization, , then the 
routines executed by say the OPEN SVC on behalf of a non-authorized 
program (ie your business applications) would not be able to perform these 
functions.  Some functions do require APF authorization (ie the JSCBAUTH 
bit set), but most allow OR Sup State OR System Key without APF auth.

===
Wayne Driscoll
OMEGAMON DB2 L3 Support/Development
wdrisco(AT)us.ibm.com
===



From:
"R.S." 
To:
IBM-MAIN@bama.ua.edu
Date:
04/21/2010 01:40 AM
Subject:
Re: supervisory state vs. authorized program
Sent by:
IBM Mainframe Discussion List 



Tony Harminc pisze:
> On 20 April 2010 11:01, Paul Gilmartin  wrote:
> 
>> Summarizing what no one has stated absolutely clearly yet, supervisor
>> state is a hardware state, controlled by a bit in the PSW; authorized
>> is a software state defined by flags set by the OS reflecting bits
>> in the load module and the library from which it was loaded.
> 
> Right. But it's a bit more muddled than that, because some operating
> system services required that the caller be "authorized", but in many
> cases this authorization can be APF authorization (regardless of what
> machine state the program is running with), *or* being in supervisor
> state. Often enough these services will also accept running in a
> "system key" (generally a key < 8) as well.

Isn't the APF prerequisite for both, supervisor state and key<8?
If yes, then such services simply require APF. Supervisor state include 
APF, so the "or" above is redundant.


> The bottom line is that an APF authorized program can get itself into
> supervisor state and/or a system key, and a program running in
> supervisor state can do absolutely anything with the machine,
> including reading or changing any data in main storage or on disk,
> bypassing all security, and even stopping the entire complex.

[OT] IMHO the most dangerous is regular program running in problem state 
driven by idiot, who has authorization to change production data. 

-- 
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237
NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w 
caoci wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj 
warunkowego podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ 
z dnia 16 marca 2008r., oraz uchway XVI NWZ z dnia 27 padziernika 
2008r., moe ulec podwyszeniu do kwoty 123.763.528 z. Akcje w 
podwyszonym kapitale zakadowym BRE Banku SA bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html