On Sat, 16 Aug 2014 08:50:16 -0400, Peter Relson <[email protected]> wrote:
> >From the IPCS User's guide: >IPCS can process as a dump the central storage for the address space in >which IPCS is currently running, private storage, and any common storage >accessible by an unauthorized problem state program. Users running z/OS R2 >IPCS on a z/OS R2 system who have been authorized READ access to facility >class resource BLSACTV.ADDRSPAC may view storage that is fetch-protected >from application code. > >If availability of IPCS ACTIVE is the sticking point, I'm sure that an >option could be provided to disable it entirely. But, of course, from a security perspective restricting IPCS ACTIVE does nothing helpful. Any data accessible via IPCS ACTIVE (without requiring access to BLSACTV.ADDRSPAC, of course) is equally accessible to any program an application programmer wants to write, or even to any REXX exec the programmer wants to write. Clearly whomever made the rule restricting access to IPCS does not understand how the system works, and should be better educated. -- Walt
