It has to do with the fact that the APF code itself could become "corrupted" (if loaded into key-8 storage) by some user code running under a different TCB. Or that some key 8 storage area used by the APF code could be "corrupted" by user code running on a different TCB. This "corruption" could be either due to poor coding, or even a malicious attempt to get non-APF code running in APF mode.
TSO has an interface, IKJEFTSR, which can run APF "safely" under TSO. But it does this my using a separate TCB structure to run the APF code and doing a STATUS STOP on all the other TCBs in the address space. Well, most of them, anyway. However, things running via IKJEFTSR cannot do ISPF functions for the very same reason. The ISPF code runs on a different TCB and that TCB is in a more or less "hard" wait. ref: http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ikj4b780/23.1 http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ikj4b780/23.1.2 On Tue, Mar 4, 2014 at 9:51 AM, Leonardo Vaz <[email protected]> wrote: > True, I have never understood that either, gil. > > It might more to do with executing the program in the appropriate TCB than > a security exposure. > > Leo > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Paul Gilmartin > Sent: Tuesday, March 04, 2014 10:25 AM > To: [email protected] > Subject: Re: ISPF storage protection > > On Tue, 4 Mar 2014 08:54:43 -0500, Shmuel Metz (Seymour J.) wrote: > > >In <[email protected]>, on > >03/03/2014 > > at 06:14 PM, Paul Gilmartin <[email protected]> said: > > > >>I have no idea why APF authorized library and link edit with AC=1 > >>alone don't suffice. > > > >Because it would be a major security breach. > > > That doesn't tell me much. > > Why? How? Would it be any less a security breach to invoke such a > program from JCL with "EXEC PGM=..." which likewise causes it to run in the > authorized state? > > -- gil > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- Wasn't there something about a PASCAL programmer knowing the value of everything and the Wirth of nothing? Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
