On 5/25/2005 1:00 PM, Ituriel do Nascimento Neto wrote:
We have a STC with its USERID defined as PRIVILEGED in Started Class.
This STC issues RACROUTE as defined below and always receives RC=00
in Register 15, even if profile is not authorized. Here goes RACROUTE part
of program :
RACROUTE REQUEST=AUTH,
USERID=USERID,
CLASS=RACLASS,
ATTR=READ,
ENTITY=PROFILE,
LOG=NOSTAT,
WORKA=SAFWORK,
RELEASE=7707,
MF=(E,AUTHCHK)
The main point is even if i specify an userid that is not the current one,
and the profile is not authorized to this third-party user, R15 is always
returned clear.
Problably if i switch off privileged atribute, it will work, but i would
like to know if it is WAD.
If you omit the USERID parameter then you should always get RC=0 because
you are checking your own authority, and PRIVILEGED will give the RC=0
for almost all AUTH calls.
However, with the USERID parameter specified a check should occur
against the specified user ID, and only if it matches the STC ID should
PRIVILEGED apply. Thus, you should get the appropriate RC for that user
ID (as long as it does not match the STC user ID).
I suspect you have a coding error on your RACROUTE macro, or on the
L-form macro, or in the way that you initialize the static copy of your
macro (at label AUTHCHK). Or else you have an exit (e.g. ICHRCX01) that
is not coded properly.
However, without seeing more of the code I can't tell for sure.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
