In a recent note, Binyamin Dissen said: > Date: Tue, 19 Sep 2006 10:34:18 +0300 > > On Mon, 18 Sep 2006 17:51:14 -0600 Paul Gilmartin <[EMAIL PROTECTED]> > wrote: > > :>I am coming to suspect that the reason RETRY fails when I > :>invoke SMP/E from an EXEC under IKJEFT01 is that GIMSMP > :>is absent from AUTHPGM NAMES in SYS1.PARMLIB(IKJTSOnn). > :>I've put in a request to add it. > > :>But, now I'm curious. Is there any good rationale that > :>any program with AC=1 in an authorized library shouldn't > :>run with APF authorization when CALLed from TSO. Is the > :>security provided by the "isolated environment" incomplete? > :>What happens when a program with AC=0 is (inadvertently) > :>entered in AUTHPGM names and CALLed? > > The issue is that AC=1 programs expect to be called as job-step programs and > may not completely clean up after themselves (expecting the initiator to do > it). > That raises more questions than it answers:
o How justified is that expectation? Don't numerous authorized utilities and authorized user and vendor programs invoke other authorized utilities? o Isn't it equally true that AC=0 programs may fail to clean up after themselves? o When the TMP ATTACHes an AC=0 program (presumably in the non-authorized "leg") does the TMP clean up after it? If so, why doesn't the TMP likewise clean up after programs run in the isolated environment? o Does IBM publish a list of IBM programs which are suitable for naming in AUTHPGM NAMES, or is the presmption that only programs included there as it is distributed by IBM are eligible. My immediate concern is with SMP/E. I've been CALLing it but enduring the failure of RETRY and omitting WAIT. And I know SMP/E fails to clean up -- I must do some FREEs before the next CALL, or it runs with bogus DDNAMEs. (I tried PMRing this; IBM couldn't reproduce it, nor could I in a suitably small test case though it happens regularly in my production. I continue to do OUTTRAP LISTALC, then FREE selected DDNAMEs) > It is a slight exposure, handled by specifying those programs that are known > to be well behaved. > > :>Could a systems programmer so inclined simply use > :>"AUTHPGM NAMES( * )"? > Or the like? -- gil -- StorageTek INFORMATION made POWERFUL ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
