On Tue, 13 Apr 2010 23:25:12 +0300, Binyamin Dissen <[email protected]> wrote:
>On Tue, 13 Apr 2010 16:12:19 -0400 Don Williams <[email protected]> wrote: > >:>Sorry, SMP does not bypass security. The user has to be smart and know what >:>to do, but no security is bypassed or violated. > >If the user cannot update the libraries, all that granting access to these >resources is allowing the APPLY to abend with a S913 in place of being >rejected due to lack of permission. > >How does allowing access to the SMP functions allow "the potential to >undermine system security" > > --- wait for it --- > >"regardless of any data set protections you may have in place." In the original discussion, it was speculated that IBM obviously did not understand that one should protect the data sets rather than trying to protect the program or functions. And that therefore anyone who did have proper data set protections is safe. In most cases that is true. In this case it is not (that's why there is an exposure, and that's why we had the System Integrity APAR IO11698 and its PTF(s).). Some of you are trying to guess what the exposure is, or speculating about what it may be. We will not participate in such speculation or confirm anything about it. What is important is that you understand that you are at risk if you do not carefully control who can run those SMP/E functions, and that your users who can run those functions must be very trusted users. And that's why we have the new APAR IO12263. Note, by the way, that the official IBM statement on all of this is in the APARs, not my emails on this topic. I am merely trying to help some of you understand those statements since there still seems to be some confusion. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
