W dniu 11.06.2025 o 15:05, Roberto Halais pisze:
I would like some feedback on what would happen if we assign passwords to
the stcs in our z/OS environment.
At this moment the stcs have no passwords assigned to them.
1. Your setup is proper. Don't change it.
2. Nobody mentioned it, but in the old days (AFAIK until OS/390 2.9)
there was no PROTECTED userid. So, every user had a password! The rule
for STC users was to assign some random password and forget it.
3. As it was already mentioned, some malicious person can intentionally
try to logon using such userid and after some invalid password he will
block (revoke) the userid. However even then the STC would work. Why?
"REVOKE" does matter during logon process, but assigning a userid to STC
is not logon process.
4. Many moons after PROTECTED attribute was invented there was another
change: no default password.
Unfortunately before that a user created without PASS() parameter got
default password which was his DFLTGRP (group name)
AND THIS IS REAL PROBLEM.
Why?
Imagine some STC userids created with no PASSWORD and without NOPASSWORD
parameter. Then such userid is *not* PROTECTED. Such userid does have a
password - its groupname. The password is expired.
Then any user can use this userid, change the password start using it.
Not for TSO, because most of STC users hava no TSO segment, but batch is
OK. Needless to say such STC userid can have extraordinary set of
authorities.
5. Last, but not least: some STC userids need a password. It is related
to PassTickets, which require the password, although it does not use it.
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
