Ah, you are thinking of one of two possibilities. One is to use "sudo" which first switches to a specified user (often root), then runs the given command & arguments. Use of this is controlled via a file called /etc/sudoers. This is a rather generic thing. Another way to do it is to write a specific command, Y, which is marked "setuid" or "setgid" to change either the uid or gid or both to the program's uid/gid. That command can then execute the given command, X, via the system() call.
z/OS does not have an equivalent facility for batch programs. z/OS UNIX, being a true, branded, UNIX system does have both of the above abilities. Not that it helps you. One thing that does occur to me is to use the PADS in RACF to only allow access to the compiler containing library from your driver program. I'm not too sure about this. Perhaps someone who uses PADS can say? It might will require your "driver" program, Y, residing in a the STEPLIB, with the PADS library (or libraries) being allocated to a different DD name which the driver program OPENs with a DCB, said DCB being passed to ATTACHX via the DCB= parameter in order to change the new TCB's default execution libraries to those on the special DD name. The driver might even have "smarts" to look at some PARM passed to it, validate it, and then use that program in the ATTACHX rather than "hard code" the invoked program. It would make it a bit more difficult to program. And don't ask me how well this will get along with CA-Endevor. Just a thought. This does put things back into RACF control of the compiler libraries. On Tue, Feb 12, 2013 at 11:04 AM, Charles Mills <[email protected]> wrote: > Gil would know the answer to the first half of this ... > > I'm not a UNIX expert. My sole claim to UNIX expertise is that I once > *managed* a bunch of UNIX experts. I seem to recall that in UNIX you can do > something like the following -- and I'm using the wrong terms, but > hopefully you can get what I mean. Suppose you have an executable X. You > can set its security such that only user FOO can run it. FOO is not a real > person. Instead, you have a program Y that you set up such that it runs > with the authority of FOO. So then a user can potentially run program Y > which in turn runs program X, but that user cannot himself run X all by > itself. > > Is my recollection correct? > > z/OS and RACF don't have an equivalent facility, do they? > > Charles > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Paul Gilmartin > Sent: Tuesday, February 12, 2013 7:11 AM > To: [email protected] > Subject: Re: How do people lock down the compilers "inside" CA Endevor? > > On Tue, 12 Feb 2013 07:49:27 -0600, John McKown wrote: > > > >Another possible solution, which I did with different IBM module, is to > >write a small HLASM program. This program would verify how it was > >called by looking at the RB chain, to be sure it was not the first RB > >on the TCB is what I'm thinking. ... > > > I invoke a lot of programs with Rexx "address LINKMVS". How does that > affect the RB chain? > > -- gil > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- This is a test of the Emergency Broadcast System. If this had been an actual emergency, do you really think we'd stick around to tell you? Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
