When I went through altitude chamber training, the instructor expalined that as
external pressure decrease, gases in the body would try to expand. As internal
pressure grew, they would exit the body any way they could. If you could smell
the gases, it meant your oxygen mask was not on properly and you would be well
advised to deal with it quickly.
This smells the same to me. If someone can convince a "privileged" product
into giving them information they cannot get on their own, then there is a
security hole that requires prompt attention. Depending on hiding DSNs to
prevent a user from expoiting the weakness just doesn't seem like a good plan.
"Craddock, Chris" <[EMAIL PROTECTED]> wrote:
>
> Just curious. How much of an exposure exists if a user knows the name
of
> a data set [s]he can't open?
>
The typical concern is that an unprivileged user may be able to persuade
a privileged user (e.g. some STC) to access data the unprivileged user
was not otherwise entitled to and/or to disclose that data to some third
party. The terms are fairly generic, e.g. the "third party" might be as
mundane as a networked printer.
If the dataset is always accessed using the true requestor's identity
then "no harm no foul". If you know the dataset name then there is at
least some chance you may pass it to someone who's not so choosy. If a
privileged server accesses that resource using its own identity then all
bets are off.
If you don't know the dataset name it gets to be more difficult to
develop such back door attacks - or so the theory goes. This is more of
a concern on other platforms, but it's still at least a theoretical
issue on z/OS.
---------------------------------
Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
