On Thu, 3 Jul 2025 07:35:26 -0400, Robert S. Hansel <r.han...@rshconsulting.com> wrote:
>I don't see it as a risk because OPERCMDS is access is still required. Sadly, OPERCMDS and EMCS came long after most products were created. Any OEM product which implemented commands is potentially vulnerable because they might have an alternative implementation for OPERCMDS. For example, consider automation products. 1. RACF class for automation which historically predates OPERCMD & EMCS. Historically, TSO OPER required the OPER segment. 2. Automation commands might not have implemented OPERCMD beyond F, P and S. 3. Automation rules to intercept commands and process them as automation commands certainly are not validating OPERCMD. 4. Automation rules to change commands on the SSI which might even include modifying the user. I'm only telling people about the vulnerabilities they may not have considered. By giving the profile read authority, you are giving everyone the ability to establish an EMCS console thus opening access to commands that you falsely believe are protected by OPERCMD... >If you want to restrict users to establishing consoles with names that are >prefixed with their ID My first problem is with the possible exposure caused by READ given to the profile. I have no problem with the names you give to EMCS consoles and how you coordinate them. I only remind you that there can be hidden impacts to console names. Automation products have access to console names. With EMCS allowing a user to access consoles from multiple products, do you need to distinguish between commands from z/OSMF, Unix, TSO CONSOLE, TSO OPER and more. E.g. a command repeats every 10 minutes from user xxx but no idea which product is generating it. I have no problem with people doing these things but telling people you do this everywhere implies you can do this without first understanding the implications at that site. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
