Thank you as always. I was simply exploring again the different ways of running authorized code from a Rexx assembler function (or a tso command called by it). I wanted only to keep my list updated.
You stated very clearly when we had this discussion 2 or 3 years ago NOT to play with the JSCBAUTH. As you said before, it is a recipe for disaster. I wouldn't do it, but I was just curious about some of the reasons. Just out of curiousity. Why use a SVC? Back during this discussion it was stated as one way of having a Rexx assembler function do some authorized stuff. Someone said that an SVC or PC routine was one way. And for sure IKJEFTSR is one good way to go. Lindy ________________________________________ From: IBM Mainframe Discussion List [[email protected]] On Behalf Of Rob Scott [[email protected]] Sent: 22 December 2010 17:33 To: [email protected] Subject: Re: Authorized Rexx Assembler Function Lindy Why use an SVC? What is wrong with IKJEFTSR? If you *must* use a SVC to perform some sort of discrete auth-function for an unauth caller, then it would be responsible to provide some sort of SAF check to ensure the caller is allowed. I am assuming here that your SVC is returning to the caller in exactly the same state as when called - do NOT attempt to flip JSCBAUTH or any other auth-boost using an SVC regardless of SAF check being present or not. Personally, I cannot imagine a good case for writing a new SVC these days. Rob Scott Lead Developer Rocket Software 275 Grove Street * Newton, MA 02466-2272 * USA Tel: +1.617.614.2305 Email: [email protected] Web: www.rocketsoftware.com -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Lindy Mayfield Sent: 22 December 2010 12:48 To: [email protected] Subject: Re: Authorized Rexx Assembler Function If I use an SVC, is this true? If the SVC does something or returns some information that needs to be protected, then I need to use RACF to decide who can call it or who cannot? And everyone said not to use a magic SVC, and I get that. But if that SVC is also protected by RACF, is it at all a viable solution? Lindy -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Rob Scott Sent: Tuesday, April 15, 2008 7:29 PM To: [email protected] Subject: Re: Authorized Rexx Assembler Function > Call an SVC that flips the JSCBAUTH bit back on. This is non-standard. If > it is to be implemented even on a development system then added security > needs to be built in to make sure it isn't misused. Do NOT go there. It will bite you in the a** - maybe not today - but someday. Your real options depend on whether you have a server address space or not : (a) You have a server address space Use PC-ss to execute auth function or to request server collect data on your behalf. (b) You do not have a server address space Use IKJEFTSR (daylight) Use SVC Rob Scott Rocket Software, Inc 275 Grove Street Newton, MA 02466 617-614-2305 [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Lindy Mayfield Sent: 15 April 2008 17:19 To: [email protected] Subject: Re: Authorized Rexx Assembler Function For completeness, since I started this whole, ah, thing, I'm curious what they are. Here are the techniques I've learned so far, including the one that violates system integrity: __ The standard acceptable method is to call TSO/E Service Facility, IKJEFTSR and pass it the name of an authorized module. __ Call an SVC that flips the JSCBAUTH bit back on. This is non-standard. If it is to be implemented even on a development system then added security needs to be built in to make sure it isn't misused. __ Simply put all the authorized stuff into an SVC or PC routine. That's all I've collected so far. Are there more ways? Lindy -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Wayne Driscoll Sent: 15. huhtikuuta 2008 17:49 To: [email protected] Subject: Re: Authorized Rexx Assembler Function Just to expand on Walt's statement "There are only a handful of ways of getting a program to start running authorized, even if the module comes from an APF-authorized library" append "that don't violate system integrity." Sure, there are numerous ways to make this work, but most of them have the side-effect that they leave the system in a compromised state. In a small development system this loss of integrity may be acceptable, but for production, or even larger development or test systems, this would not be. Wayne Driscoll Product Developer NOTE: All opinions are strictly my own. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
