> -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:[email protected]] On Behalf Of Walt Farrell > Sent: Friday, April 16, 2010 9:50 AM > To: [email protected] > Subject: Re: Internal (program) start of an STC - MGCRE vs. ASCRE > > On Fri, 16 Apr 2010 09:29:30 -0500, McKown, John > <[email protected]> wrote: <snip> > > You would need VERIFY, not VERIFYX. > > And you can ask VERIFY to do the auditing (LOG=ALL). > > I doubt you'd need a RESMGR, though you would need some kind of exit > (ESTAI?) to handle abnormal termination of the subtasks and > delete the ACEE.
OK, I know how to do this. > > If you're going multi-user in a single address space then it > really only > works if you have complete control over the code that's > running, of course. > If the users can supply any of the code you have nothing > that can prevent > one user from assuming another's identity. And if they can > supply any of > the code you also have the problem of ATTACH not propagating ACEEs. To be honest, I don't like multi-user address spaces. That would really complicate debugging. > > It really is easier for you to simply go the UNIX route. By > the way, your > code does not need to be in a UNIX file system. It could be > in a PDS or > PDSE, though you might need an external link in the file > system in order for > UNIX to find it. I don't know the "plus" of using an External Link versus just putting the program object directly into the UNIX filesystem. It would make sense for something in LNKLST or LPA, I guess. But for something in the equivalent of a STEPLIB, I doubt it would be useful. > > And don't forget that the users will need UNIX identities > (OMVS segments > with UIDs) if you go with anything UNIX related. Hopefully, using the BPX.DEFAULT.USER profile in the FACILITY class would be "good enough". It seems to be OK for ftp users who don't actually do any I/O to UNIX files. > > -- > Walt Farrell, CISSP > IBM STSM, z/OS Security Design It is really beginning to look like using UNIX services "to the max" is just going to be so much easier. Instead of my own "listener", I can use inetd. This would save me from coding all the TCP/IP stuff. My code could just read and write the socket supplied by inetd. I can use BPX1SEC to validate and set the RACF identity to the supplied RACF userid/password. This is far simplier than a RACROUTE REQUEST=VERIFY or IRRSIA00 in that it does not require supervisor state or APF authorization, but the JrEnvDirty seems to imply the program must be "program controlled". I know what that means for PDS resident programs, but not HFS resident programs. At least as far as I can tell from the manual. The only thing that I would like, which I cannot seem to get, is the equivalent of the TSO message which says something like: "YOUR PASSWORD WILL EXPIRE IN 5 DAYS". I can only tell if it is EXPIRED or INVALID. And, perhaps, REVOKEd. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * (817)-961-6183 cell [email protected] * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
