The difference is that TSO (and ISPF) runs in problem state and the jobstep is
unauthorized.
In batch, when executing a program linked AC(1) that comes from a valid APF
authorized library, then the entire jobstep is considered authorized.
TSO must jump through a few hoops to attempt to provide a safe way of invoking
the authorized program - this involves having a parallel authorized jobstep TMP
task and suspending all TCBs on the non-authorized "leg" while the authorized
code is executing.
Hence the various tables in TSO (and ISPF) to define these special circumstance
commands (or programs) that can run authorized.
Throw into the ring, the confusion that can occur with TSOLIB and ISPLLIB (and
STEPLIB) - it can get messy to code applications and debug problems in this
area - especially when your code is running on other people's systems.
Rob Scott
Lead Developer
Rocket Software
77 Fourth Avenue . Suite 100 . Waltham . MA 02451-1468 . USA
Tel: +1.781.684.2305
Email: [email protected]
Web: www.rocketsoftware.com
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf
Of Leonardo Vaz
Sent: 04 March 2014 15:51
To: [email protected]
Subject: Re: ISPF storage protection
True, I have never understood that either, gil.
It might more to do with executing the program in the appropriate TCB than a
security exposure.
Leo
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf
Of Paul Gilmartin
Sent: Tuesday, March 04, 2014 10:25 AM
To: [email protected]
Subject: Re: ISPF storage protection
On Tue, 4 Mar 2014 08:54:43 -0500, Shmuel Metz (Seymour J.) wrote:
>In <[email protected]>, on
>03/03/2014
> at 06:14 PM, Paul Gilmartin <[email protected]> said:
>
>>I have no idea why APF authorized library and link edit with AC=1
>>alone don't suffice.
>
>Because it would be a major security breach.
>
That doesn't tell me much.
Why? How? Would it be any less a security breach to invoke such a program
from JCL with "EXEC PGM=..." which likewise causes it to run in the authorized
state?
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
