On 6/15/2006 8:09 AM, Shmuel Metz , Seymour J. wrote:
AKAIK the only cases where AC(1) is appropriate are where a privileged
program does a task with RSAPF=YES, and I know of only five such
cases:
1. The ATTACH of a jobstep
2. The ATTACH of the TSO TMP by the TSO SM
3. Authorized TSO CALL
4. Authorized TSO command
5. Authorized TSO service
There are a couple of cases in z/OS UNIX, too, that require AC(1).
Arguably, one of them (exec() or execmvs()) is really an attach of a
jobstep task, which you covered above.
However, z/OS UNIX also allows a local spawn() or local exec(), and
those cases do not attach a jobstep task. For a
local spawn or local exec issued by an APF-authorized program, we
require the target of the spawn() or exec() to have AC(1), too.
This ensures that the results will be the same (the module will run
authorized) whether it is invoked by a local spawn/exec or a standard,
non-local, spawn/exec.
We ran into this last year when we tried to get AC(1) removed from some
modules that we thought should not need it, and discovered that they no
longer ran properly. In a case like this, to avoid exposures, the
modules need to carefully check the environment and parameters they run
in, and verify that they were not executed improperly.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
