On Fri, 7 Dec 2012 16:05:10 +0100, "R.S." <[email protected]> wrote:
>In general you are 100% right. >However many people use PROGRAM class only to fulfill requirements of >TCPIP setup and other stuff. >In this case they define CL(PROGRAM) ** profile and and several >IBM-z/OS-provided libraries in ADDMEM. >In such case BASIC-ENHANCED security has no special meaning, has it? > >(And for clarity I omited IRRDPI and few other programs which should be >exclued from UACC(R)) There's a reason those TCP/IP programs (or the UNIX functions they invoke) require a program-controlled environment, Radoslaw. If any of those programs or functions can be invoked by a "normal" user, and will work if they're invoked in a clean program-controlled environment, then you should be running in enhanced program-control mode to ensure that the user can't attack them and cause them to do things that are unintended. In some ways, a clean program-controlled environment is like running APF-authorized. And in some ways, running with enhanced program-control mode rather than basic is like providing proper access control to control who can update your APF-authorized libraries. I honestly do not know whether, in the situation you hypothesized, you are exposed to attacks if you run in basic rather than enhanced mode. But why take the chance? Enhanced protects you from some attacks that basic allows. It's simpler to implement enhanced mode than to try to figure out what the attacks are, and whether they'll work in your situation if you remain in basic mode. -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
