It appears that this isn't possible but I wanted to triple check because
while Googling I found some vague some references.
Is there any way to create a Rexx function that runs authorized? Seems
that when a Rexx function is called the JSCBAUTH is turned off.
Thanks,
Lindy
--
a viable
solution?
Lindy
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of
Rob Scott
Sent: Tuesday, April 15, 2008 7:29 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Authorized Rexx Assembler Function
> Call an SVC that flips the JSCBAUTH
In <0377b9a583fd0e4aacd676ee33ee994b486ae...@sdkmail13.emea.sas.com>,
on 12/22/2010
at 01:47 PM, Lindy Mayfield said:
>If I use an SVC, is this true? If the SVC does something or returns
>some information that needs to be protected, then I need to use RACF
>to decide who can call it or who ca
: Authorized Rexx Assembler Function
If I use an SVC, is this true? If the SVC does something or returns some
information that needs to be protected, then I need to use RACF to decide who
can call it or who cannot? And everyone said not to use a magic SVC, and I get
that. But if that SVC is
---
If I use an SVC, is this true? If the SVC does something or returns some
information that needs to be protected, then I need to use RACF to decide who
can call it or who cannot? And everyone said not to use a
>Call an SVC that flips the JSCBAUTH bit back on.
DO NOT DO THIS. In the general case there is no way to do this without
introducing system integrity problems.
And also do not use an SVC to return control to an unauthorized caller in
an authorized state.
Peter Relson
z/OS Core Technology Desi
Not to mention the grief you would get from your auditors
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of
Peter Relson
Sent: Thursday, December 23, 2010 9:00 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Authorized Rexx Assembler Function
In
,
on 12/23/2010
at 09:15 AM, "Veilleux, Jon L" said:
>Not to mention the grief you would get from your auditors
I wish; the last time that I dealt with an auditor in that context, he
pick up an imaginary integrity exposure but failed to notice the hole
big enough to float an aircraft c
Do you really think most auditors would notice something like that? Most of
the few auditors I worked with didn't know much about MVS, although I did
work with one that really knew his stuff. Of course, if you introduced
instability to your system, the auditors would notice that, but then you'
-MAIN@bama.ua.edu
Subject: Re: Authorized Rexx Assembler Function
Lindy
Why use an SVC?
What is wrong with IKJEFTSR?
If you *must* use a SVC to perform some sort of discrete auth-function for an
unauth caller, then it would be responsible to provide some sort of SAF check
to ensure the caller is allowed.
a.ua.edu
Subject: Re: Authorized Rexx Assembler Function
---
>If I use an SVC, is this true? If the SVC does something or returns some
>information that needs to be protected, then I need to use RACF to decide who
>ca
embler
program.
From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Peter
Relson [rel...@us.ibm.com]
Sent: 23 December 2010 16:00
To: IBM-MAIN@bama.ua.edu
Subject: Re: Authorized Rexx Assembler Function
>Call an SVC that flips the JSCBAUTH bit back o
Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Shmuel
Metz (Seymour J.) [shmuel+ibm-m...@patriot.net]
Sent: 22 December 2010 15:51
To: IBM-MAIN@bama.ua.edu
Subject: Re: Authorized Rexx Assembler Function
An SVC that checks SAF and performs a narrowly delimited function if
authorized is fine. An
ent: 22 December 2010 15:51
To: IBM-MAIN@bama.ua.edu
Subject: Re: Authorized Rexx Assembler Function
An SVC that checks SAF and performs a narrowly delimited function if
authorized is fine. An SVC that turns on JSCBAUTH is an invitation to
disaster.
---
My question was that if you have an SVC that does stuff, can it use RACF to
> check if a user has permissions? Based on your kind replies to my query,
> the answer is yes.
>
Yes, it isn't just for dataset security. You can ask security questions
about any logical resource, even ones you make up
t [mailto:ibm-m...@bama.ua.edu] On Behalf Of
Chris Craddock
Sent: Friday, 24 December 2010 7:08 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Authorized Rexx Assembler Function
My question was that if you have an SVC that does stuff, can it use RACF to
> check if a user has permissions? Based on yo
On Fri, 24 Dec 2010 07:50:12 +0930 Anthony Thompson
wrote:
:>I'll just point out that Type 1 and Type 6 SVC's cannot themselves issue SVC
calls (i.e. call RACF). Doesn't matter if your SVC just lives in LPA.
They can't do FASTAUTH?
--
Binyamin Dissen
http://www.dissensoftware.com
Director, D
: IBM-MAIN@bama.ua.edu
Subject: Re: Authorized Rexx Assembler Function
On Fri, 24 Dec 2010 07:50:12 +0930 Anthony Thompson
wrote:
:>I'll just point out that Type 1 and Type 6 SVC's cannot themselves issue SVC
calls (i.e. call RACF). Doesn't matter if your SVC just lives in
a.edu] On Behalf Of
Anthony Thompson
Sent: Friday, December 24, 2010 12:46 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Authorized Rexx Assembler Function
Type 1/6 can't XCTL either, so I suspect not, let alone the associated fastauth
exit. You're welcome to try tho.
Ant.
-Original Me
f Of
Lindy Mayfield
Sent: Friday, 24 December 2010 10:51 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Authorized Rexx Assembler Function
I am so so lucky to have a copy of Cannetello's book. It is dog eared and
worn. But it is mine. I so wish he would update it. It is a classic. But as
for
I've got over 15 years left until retirement, so I ain't goin' anywhere
anytime soon ;-(
Merry Whozawhatz and a Happy Whatchmacallit!
On Thu, Dec 23, 2010 at 4:00 PM, Lindy Mayfield
wrote:
> I hate to think of it, but someday you guys will be busy enjoying your
> retirements, and little boys l
At 11:00 -0500 on 12/23/2010, Shmuel Metz (Seymour J.) wrote about
Re: Authorized Rexx Assembler Function:
Just once I would like to encounter an auditor experienced enough to
find real problems before they can bite me, instead of reading a
worthless cookbook.
Most of them that I have run
At 22:15 +0100 on 12/23/2010, Lindy Mayfield wrote about Re:
Authorized Rexx Assembler Function:
Why on earth would one write an SVC to put an address into
authorized state when the SVC can do authorized stuff already.
Because it is "simpler" to have a single function SVC to auth
On 12/23/2010 9:19 PM, Robert A. Rosenberg wrote:
Anyone who just works off a check list of things to look for or
gripe about should be terminated (possibly with "Extreme
Prejudice" ) from their assignment as soon as they show their
inability to perform their job (IOW: You tell the Auditing
Firm/
locked mode. Even the old FRACHECK used a branch entry.
:>-Original Message-
:>From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf
Of Binyamin Dissen
:>Sent: Friday, 24 December 2010 8:09 AM
:>To: IBM-MAIN@bama.ua.edu
:>Subject: Re: Authorized Rexx A
In
<45b7288bec7648468f3309472e0f960db8856d9...@emdpb-es1.prod.main.ntgov>,
on 12/24/2010
at 07:50 AM, Anthony Thompson said:
>I'll just point out that Type 1 and Type 6 SVC's cannot themselves
>issue SVC calls (i.e. call RACF).
Isn't there a system linkage for SAF that a type 6 SVC can use?
On Thu, 23 Dec 2010 21:40:27 -0500, Robert A. Rosenberg
wrote:
>
>As to the need for a Magic SVC, I may be wrong but I have a vague
>memory of an IBM supplied program (possibly in the MVS days) that had
>(or needed) a Magic SVC to do one of its functions.
Could you possbly be thinking of an ear
Once upon a time an ISV source control product halted a five 9s data centre.
The product required a STC which naturally was APFed. The STC GETMAINed in
CSA, of course pagefixed, moved code to that location, searched for an empty
entry and updated the ESR SVCtable (109 - 3/4) and finally inserted i
>Date:Fri, 24 Dec 2010 08:54:10 -0600
>From:Dana Mitchell
>Subject: Re: Authorized Rexx Assembler Function
>On Thu, 23 Dec 2010 21:40:27 -0500, Robert A. Rosenberg
> wrote:
>>
>>As to the need for a Magic SVC, I may be wrong but I have a vague
>>
avid Stern
Subject: Re: Authorized Rexx Assembler Function
To: IBM-MAIN@bama.ua.edu
Date: Saturday, December 25, 2010, 4:03 AM
Once upon a time an ISV source control product halted a five 9s data centre.
The product required a STC which naturally was APFed. The STC GETMAINed in
CSA, of course pagefi
By asking these questions, I'm only curious, learning, and want to know as much
about z/OS as I can. Having said that...
What exactly happens to cause an authorized Rexx assembler function to be
un-authorized, even if AC(1) and run from an authorized library? Do you
mainipulate the JSC
d want to
> know as much about z/OS as I can. Having said that...
>
> What exactly happens to cause an authorized Rexx assembler function
> to be un-authorized, even if AC(1) and run from an authorized
> library? Do you mainipulate the JSCBAUTH? Do you somehow mark the
>
at it won't run
authorized.
Lindy
From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Hayim
Sokolsky [hsokol...@dtcc.com]
Sent: 28 December 2010 22:18
To: IBM-MAIN@bama.ua.edu
Subject: Re: Authorized Rexx Assembler Function
The short ve
sokol...@dtcc.com]
> Sent: 28 December 2010 22:18
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: Authorized Rexx Assembler Function
>
> The short version goes like this, at least it used to work this way. It
> probably still does.
>
> IKJEFT01 (the "READY" prompt) is
From: IBM Mainframe Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Hayim
Sokolsky [hsokol...@dtcc.com]
Sent: 28 December 2010 23:01
To: IBM-MAIN@bama.ua.edu
Subject: Re: Authorized Rexx Assembler Function
Lindy,
The function is NOT invoked as COMMAND. Therefore it can't
ua.edu] On Behalf Of Hayim
Sokolsky [hsokol...@dtcc.com]
Sent: 28 December 2010 23:01
To: IBM-MAIN@bama.ua.edu
Subject: Re: Authorized Rexx Assembler Function
Lindy,
The function is NOT invoked as COMMAND. Therefore it can't be APF.
Hayim
_
Hayim
anism wind up causing authorization to be lost?
Peter
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
> Behalf Of Ray Overby
> Sent: Tuesday, December 28, 2010 5:13 PM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: Authorized Rex
ways, some that
violate system integrity, and some that don't).
Lindy
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of
Ray Overby
Sent: Wednesday, December 29, 2010 12:13 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Authorized Rexx As
At 13:25 -0500 on 12/25/2010, Tom Russell wrote about Re: Authorized
Rexx Assembler Function:
>Date:Fri, 24 Dec 2010 08:54:10 -0600
From:Dana Mitchell
Subject: Re: Authorized Rexx Assembler Function
On Thu, 23 Dec 2010 21:40:27 -0500, Robert A. Rosenberg
wrote:
As to the n
I do remember using a magic SVC to manipulate the JSCBAUTH bit.
but this was not a production envirnmentin fact it was running MVS guests
under VM, and then running NETVIEW under TSO, to make use of a debug tool
similar to the HLSAM Assembler Toolkit Debugger.
Netview runs authorised...
On Wed, 29 Dec 2010 02:05:45 +0100, Lindy Mayfield
wrote:
>I am sorry, I only mean to educate myself. You explain the behavior, IMHO,
but you don't say why. OR you said why and I didn't get it.
>
>Why can I not create a Rexx function that is authorized? (I do NOT want
to, I'm just curious. I
On Wed, 29 Dec 2010 06:46:33 -0600, Walt Farrell wrote:
>
>It could:
>(b) use a UNIX spawn() or fork()/exec() to run an authorized program in a
>different address space; or
>
PITA. If only BPX1EXM provided a facility for the parent to specify
DDNAME allocations in the forked child it would be much
In , on 12/29/2010
at 06:46 AM, Walt Farrell said:
>(1) Normal Rexx environments (as extablished by TSO or by IRXEXEC in
>batch) do not themselves run authorized.
I'm confused. The question did not concern the EXEC command, it
concerned a user written command that was AC(1), in an authorized
In
<985915eee6984740ae93f8495c624c6c21cf025...@jscpcwexmaa1.bsg.ad.adp.com>,
on 12/28/2010
at 05:27 PM, "Farley, Peter x23353"
said:
>If you have the REXX compiler and you use the compiler to create a
>REXX load module and you authorize that load module and store it in
>an APF-authorized libra
On Thu, 30 Dec 2010 13:47:19 -0500, Shmuel Metz (Seymour J.)
wrote:
>In , on 12/29/2010
> at 06:46 AM, Walt Farrell said:
>
>>(1) Normal Rexx environments (as extablished by TSO or by IRXEXEC in
>>batch) do not themselves run authorized.
>
>I'm confused. The question did not concern the EXEC c
That is exactly what I meant by my question. Rexx assembler function,
authorized properly, put into the TSO command IKJTSOxx table, won't run
authorized. We went already over at least twice how to do it 1) properly, and
2) "Don't do it, looking for trouble, it ain't my dog, etc".
My why wasn
In <0377b9a583fd0e4aacd676ee33ee994b4875a...@sdkmail13.emea.sas.com>,
on 12/31/2010
at 02:56 PM, Lindy Mayfield said:
>That is exactly what I meant by my question. Rexx assembler
>function, authorized properly, put into the TSO command IKJTSOxx
>table, won't run authorized.
If you really mea
In , on 12/31/2010
at 06:34 AM, Walt Farrell said:
>I believe the question I responded to was, approximately, "why can't
>my Rexx function, written in assembler, run authorized?"
The OP mention using the REXX compiler, linking AC(1), using an
authorized library and adding it to the authorized
rules.
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of
Shmuel Metz (Seymour J.)
Sent: Friday, December 31, 2010 7:29 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Authorized Rexx Assembler Function
In <0377b9a583fd0e4aacd676ee33ee994b48
field
Sent: 10 April 2008 20:48
To: IBM-MAIN@BAMA.UA.EDU
Subject: Authorized Rexx Assembler Function
It appears that this isn't possible but I wanted to triple check because while
Googling I found some vague some references.
Is there any way to create a Rexx function that runs authorized? S
Lindy Mayfield wrote:
It appears that this isn't possible but I wanted to triple check because
while Googling I found some vague some references.
Is there any way to create a Rexx function that runs authorized? Seems
that when a Rexx function is called the JSCBAUTH is turned off.
Your REXX
Rob Scott wrote:
It IS possible - but not straight-forword.
You need to reearch the IKJEFTSR service as described in the "TSO/E Programming
Services" guide.
You assembler rexx function acts as a parser and function bridge and then uses
IKJEFTSR to invoke your authorized function (normally in
2008/4/10 Lindy Mayfield <[EMAIL PROTECTED]>:
> Is there any way to create a Rexx function that runs authorized? Seems
> that when a Rexx function is called the JSCBAUTH is turned off.
By "Rexx function", do you mean a function written in Rexx, or one
written (typically in assembler) as part o
> It appears that this isn't possible but I wanted to triple check because
> while Googling I found some vague some references.
>
> Is there any way to create a Rexx function that runs authorized? Seems
> that when a Rexx function is called the JSCBAUTH is turned off.
>
> Thanks,
> Lindy
>
I sent
ny Harminc
Sent: 10. huhtikuuta 2008 23:52
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Authorized Rexx Assembler Function
2008/4/10 Lindy Mayfield <[EMAIL PROTECTED]>:
> Is there any way to create a Rexx function that runs authorized?
Seems
> that when a Rexx function is called the JSCBAU
In <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>, on
04/10/2008
at 02:06 PM, George Fogg <[EMAIL PROTECTED]> said:
>I've written several functions that require authorization. As far as I
>know, you cannot call an assembler function from REXX and have it run
>authorized,
You can call an authorized co
L PROTECTED] On
Behalf Of Shmuel Metz (Seymour J.)
Sent: 11. huhtikuuta 2008 3:15
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Authorized Rexx Assembler Function
In <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>, on
04/10/2008
at 02:06 PM, George Fogg <[EMAIL PROTECTED]> said:
>I'
Lindy Mayfield wrote:
I wonder what I'm doing wrong (again). I made an assembler program that
I call with Address LINKPGM. It's in the linklist, it's APF authorized,
has the AC bit on, and listed in AUTHPGM in IKJTSO00.
Are we supposed to guess the manner in which it doesn't work?
1) Does th
I'm so sorry!
S047 at the MODESET SVC 107.
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Gerhard Postpischil
Sent: 11. huhtikuuta 2008 16:48
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Authorized Rexx Assembler Function
Lindy Mayfield wrote
ter: Lindy Mayfield <[EMAIL PROTECTED]>
> Subject: Re: Authorized Rexx Assembler Function
>
---
>
> I'm so sorry!
>
> S047 at the MODESET SVC 107.
>
> -Original Messa
Actually no, there are a few in there that aren't. Like SYS1.SORTLIB,
for example.
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Daniel McLaughlin
Sent: 11. huhtikuuta 2008 16:55
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Authorized
On Fri, 11 Apr 2008 09:55:18 -0400, Daniel McLaughlin wrote:
>Are all libraries in the concatenation of the linklib in the APF list? If
>one isn't that may cause your issue.
If the load library is being accessed through the LNKLST, it is ok to have
libraries that are not APF.
--
Tom Marchant
Snipped:
Actually no, there are a few in there that aren't. Like SYS1.SORTLIB,
for example.
I can only go on personal experience in that a concatenated series of
libraries which are intermixed between APF and non-APF has caused me more
than one S047 (SO47?) ABEND.
Daniel McLaughlin
Z-Ser
Tom Marchant wrote:
> On Fri, 11 Apr 2008 09:55:18 -0400, Daniel McLaughlin wrote:
>
>
>> Are all libraries in the concatenation of the linklib in the APF list? If
>> one isn't that may cause your issue.
>>
>
> If the load library is being accessed through the LNKLST, it is ok to have
> li
; Organization: Time Customer Service
> Subject: Re: Authorized Rexx Assembler Function
>
---
>
> Tom Marchant wrote:
> > On Fri, 11 Apr 2008 09:55:18 -0400, Daniel McLaughlin wrote:
> >
&g
I really appreciate everyone's hints, advice and help.
I checked, LNKAUTH=LNKLST is on.
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Mark Jacobs
Sent: 11. huhtikuuta 2008 17:30
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Authorized
I was running in batch with no STEPLIB just to make sure.
(he) (-:
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Daniel McLaughlin
Sent: 11. huhtikuuta 2008 17:34
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Authorized Rexx Assembler Function
Ah
On Fri, 11 Apr 2008 10:30:10 -0400, Mark Jacobs wrote:
>Tom Marchant wrote:
>> On Fri, 11 Apr 2008 09:55:18 -0400, Daniel McLaughlin wrote:
>>
>>
>>> Are all libraries in the concatenation of the linklib in the APF list? If
>>> one isn't that may cause your issue.
>>>
>>
>> If the load library is
On Fri, 11 Apr 2008 10:28:35 -0400, Daniel McLaughlin wrote:
>
>I can only go on personal experience in that a concatenated series of
>libraries which are intermixed between APF and non-APF has caused me more
>than one S047 (SO47?) ABEND.
One non-APF library in a concatenation makes the whole conc
Lindy Mayfield wrote:
I wonder what I'm doing wrong (again). I made an assembler program that
I call with Address LINKPGM. It's in the linklist, it's APF authorized,
has the AC bit on, and listed in AUTHPGM in IKJTSO00.
LINKPGM won't provide an authorized environment. You need to use
IKJE
:26
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Authorized Rexx Assembler Function
Lindy Mayfield wrote:
> I wonder what I'm doing wrong (again). I made an assembler program
that
> I call with Address LINKPGM. It's in the linklist, it's APF
authorized,
> has the AC bit on,
Lindy Mayfield wrote:
I wonder what I'm doing wrong (again). I made an assembler program that
I call with Address LINKPGM. It's in the linklist, it's APF authorized,
has the AC bit on, and listed in AUTHPGM in IKJTSO00.
There is an alternative to LINKPGM, but the name escapes me at
the momen
Gerhard Postpischil wrote:
Lindy Mayfield wrote:
I wonder what I'm doing wrong (again). I made an assembler program that
I call with Address LINKPGM. It's in the linklist, it's APF authorized,
has the AC bit on, and listed in AUTHPGM in IKJTSO00.
There is an alternative to LINKPGM, but the n
Gerhard Postpischil wrote:
There is an alternative to LINKPGM, but the name escapes me at the
moment. It might be LINKMVS or AUTHMVS (I'd check a PDS member list of
SYS1.LINKLIB)? It's been ten years, but when I worked at an ISV this
was a standard way of handling things, provided all the detai
Edward Jaffe wrote:
None of these program linkage techniques will establish an authorized
environment.
Oops. I completely forgot - I have a modified version of the
STEPLIB program, that has an optional APF operand to authorize
the libraries. Once that's done the authorized programs will run
In <[EMAIL PROTECTED]>, on
04/11/2008
at 03:35 PM, Lindy Mayfield <[EMAIL PROTECTED]> said:
>I wonder what I'm doing wrong (again). I made an assembler program that
>I call with Address LINKPGM. It's in the linklist, it's APF authorized,
>has the AC bit on, and listed in AUTHPGM in IKJTSO00.
On Fri, 11 Apr 2008 16:56:56 -0400, Gerhard Postpischil <[EMAIL PROTECTED]>
wrote:
>Oops. I completely forgot - I have a modified version of the
>STEPLIB program, that has an optional APF operand to authorize
>the libraries. Once that's done the authorized programs will run
>correctly; it's a great
Walt Farrell wrote:
That would allow an authorized program to load a module from an otherwise
unauthorized STEPLIB. It won't let you actually start running something as
APF authorized, though. Getting something to start running authorized
requires use of a function like IKJEFTSR, or TESTAUTH.
On Mon, 14 Apr 2008 10:44:31 -0400, Gerhard Postpischil wrote:
>Walt Farrell wrote:
>> That would allow an authorized program to load a module from an otherwise
>> unauthorized STEPLIB. It won't let you actually start running something as
>> APF authorized, though. Getting something to start ru
Tom Marchant wrote:
I don't see how it really helps on a sandbox. What's so hard about adding
your test library to the APF list?
There are numerous reasons, but at my last job before retirement
I worked at an ISV writing and maintaining system utilities.
They had a library of all IBM documen
On Mon, 14 Apr 2008 10:44:31 -0400, Gerhard Postpischil <[EMAIL PROTECTED]>
wrote:
>Walt Farrell wrote:
>> That would allow an authorized program to load a module from an otherwise
>> unauthorized STEPLIB. It won't let you actually start running something as
>> APF authorized, though. Getting s
l opinions are strictly my own.
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf
Of Walt Farrell
Sent: Tuesday, April 15, 2008 9:03 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Authorized Rexx Assembler Function
On Mon, 14 Apr 2008 10:44:31 -0400, Gerhard
That's all I've collected so far. Are there more ways?
Lindy
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Wayne Driscoll
Sent: 15. huhtikuuta 2008 17:49
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Authorized Rexx Assembler Function
uff into an SVC or PC routine.
That's all I've collected so far. Are there more ways?
Lindy
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of
Wayne Driscoll
Sent: 15. huhtikuuta 2008 17:49
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Auth
Lindy Mayfield wrote:
For completeness, since I started this whole, ah, thing, I'm curious
what they are. Here are the techniques I've learned so far, including
the one that violates system integrity:
__ The standard acceptable method is to call TSO/E Service Facility,
IKJEFTSR and pass it the
On Tue, 15 Apr 2008 18:19:08 +0200 Lindy Mayfield <[EMAIL PROTECTED]>
wrote:
:>For completeness, since I started this whole, ah, thing, I'm curious
:>what they are. Here are the techniques I've learned so far, including
:>the one that violates system integrity:
:>__ The standard acceptable metho
On Tue, 15 Apr 2008 18:19:08 +0200, Lindy Mayfield wrote:
>
>That's all I've collected so far. Are there more ways?
>
BPX1EXM
-- gil
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECT
> __ The standard acceptable method is to call TSO/E Service Facility,
> IKJEFTSR and pass it the name of an authorized module.
This is the simplest way to run an authorized command and it has the
virtue that all of the other tasks in the address space are frozen while
you're doing your thing, so
Binyamin said
> :>That's all I've collected so far. Are there more ways?
>
> DEBAPFIN
>
> SVC screening.
Pardon? Modifying the APF bit isn't going to do you any good in an
address space that is already running since AC(1) is only relevant for
job step tasks. You would have to already be running
few in my shop that can
code at that level.
George Fogg
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf
Of Craddock, Chris
Sent: Tuesday, April 15, 2008 4:16 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Authorized Rexx Assembler Function
Binyamin said
g
Sent: Tuesday, April 15, 2008 9:38 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Authorized Rexx Assembler Function
Pardon you? The DEBAPFIN is to mark a specific dataset APF, not the job step
task. I use that bit setting in my SCVUPDTE TSO command to add a dynamic SVC
from a library that needs to be
On Tue, 15 Apr 2008 19:15:33 -0400 "Craddock, Chris" <[EMAIL PROTECTED]>
wrote:
:>Binyamin said
:>> :>That's all I've collected so far. Are there more ways?
:>> DEBAPFIN
:>> SVC screening.
:>Pardon? Modifying the APF bit isn't going to do you any good in an
:>address space that is already ru
In <[EMAIL PROTECTED]>, on
04/15/2008
at 06:19 PM, Lindy Mayfield <[EMAIL PROTECTED]> said:
>__ Call an SVC that flips the JSCBAUTH bit back on. This is
>non-standard. If it is to be implemented even on a development system
>then added security needs to be built in to make sure it isn't misus
In <[EMAIL PROTECTED]>, on
04/15/2008
at 07:05 PM, "Craddock, Chris" <[EMAIL PROTECTED]> said:
>None that can be discussed in polite company :-)
What if the discussion simply states that the details are in the part of
the PMR that only IBM can see and that I won't discuss them until the fix
ha
hat is).
Lindy
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Edward Jaffe
Sent: 15. huhtikuuta 2008 20:42
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Authorized Rexx Assembler Function
Lindy Mayfield wrote:
> For completeness, since I started this who
rized Rexx Assembler Function
other than passing information to it through a file and
retrieving the results from a file (or PUTLINEs) I can't think of any
better way to interact with it.
--
For IBM-MAIN subscribe / signoff
On Sun, 27 Apr 2008 20:51:39 +0200, Lindy Mayfield
<[EMAIL PROTECTED]> wrote:
>Not to overbeat this dead horse, but I thought I'd add another one to
>the list here of ways to call authorized commands from TSO or Rexx.
>
>By adding an authorized module name (in authorized library) to the
>IKJTSOxx
97 matches
Mail list logo