In <[email protected]>, on
04/03/2013
at 07:29 AM, Paul Gilmartin <[email protected]> said:
>It leaves a couple holes
Not really.
>o Jobstep program is AC(1), from an authorized library, so
> the environment was authorized.
Then that program is responsible for not creating any security
exposures.
>o Jobstep program ATTACHEs a subprogram AC(0), from an
> authorized library, bound with NOLONGPARM, passing an
> argument longer than 100 bytes.
Is that program written to work properly with that parameter? If not,
then the AC(1) program has an integrity violation for calling it.
>Or:
>o JCL specifies "EXEC PGM=jobstep program,PARMDD=ddn"
>o Jobstep program is AC=1, from an authorized library, no
> LONGPARM attribute.
>o The PARM resolved from ddn is no longer than 100 bytes.
>o Is this permissible? I would actually hope not:
> - there's a lower potential astonishment factor if the
> restriction applies to any such use of PARMDD,
I would consider that to be a bug and at best to be more surprising
than only testing the length. There's nothing in the string "LONGPARM"
to suggest that it applies to short parm data.
--
Shmuel (Seymour J.) Metz, SysProg and JOAT
Atid/2 <http://patriot.net/~shmuel>
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
