A rexx exec called PAUSE:
Trace OFF
Arg parms
exitrc = 0
seconds = WORD(parms,1)
default_seconds = 15
If seconds = '' then seconds = default_seconds
If DATATYPE(seconds,"WHOLE NUMBER") then
seconds = ABS(seconds)
Else
seconds = default_seconds
If SYSCALLS('ON') > 0 then
Do
Say 'Unable to establish the Unix SYSCALL Environment'
exitrc = SYSCALLS('ON')
Signal EXIT
End
Address SYSCALL 'SLEEP ' SECONDS
exitrc = rc
EXIT:
Exit exitrc
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Itschak Mugzach
Sent: Tuesday, April 27, 2021 7:53 AM
To: [email protected]
Subject: Re: Limiting REXX syscall to SLEEP only
Thanks John,
My concern is access to other syscall functions. it may be true to unix, but I
think some of them allow more information then I would allow to standard user.
ITschak
*| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and
IBM I **| *
*|* *Email**: [email protected] **|* *Mob**: +972 522 986404 **|*
*Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|*
On Tue, Apr 27, 2021 at 2:50 PM John McKown <[email protected]>
wrote:
> I doubt it. At least using supplied IBM facilities. Why? If you read here:
> https://www.ibm.com/docs/en/zos/2.1.0?topic=functions-sleep
> It does not have any information about security requirements.
> Therefore, I assume (ouch), that there is not one for this function,
> or any of the other UNIX functions in that section. And thus it is
> "one for all and all for one", so to speak. The same with UNIX
> commands. They all have the same security requirements, so if you have
> one, you have them all. At least in a normal set up.
>
> Now, long before UNIX was in z/OS, I wrote a batch program (designed
> to be invoked via EXEC PGM=) called SLEEP. It's only 180 assembler
> lines long (34 of which are comments). It does use one in-house macro,
> but that is simply "STARTUP" which does normal register saves and so
> could be easily replaced with just plain instructions. If you want it, I can
> email it to you.
>
> On Tue, Apr 27, 2021 at 6:33 AM ITschak Mugzach <[email protected]>
> wrote:
>
> > a user asks to have access to the uss sleep syscall. We would like
> > to
> limit
> > the user only to this function. is this possible?
> >
> > ITschak
> >
> > ITschak Mugzach
> > *|** IronSphere Platform* *|* *Information Security Continuous
> > Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon *
> >
> > --------------------------------------------------------------------
> > -- For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to [email protected] with the message: INFO
> > IBM-MAIN
> >
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions, send
> email to [email protected] with the message: INFO IBM-MAIN
>
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
