As far as the system is concerned, there is no integrity issue. You may think it creates an integrity issue. The assumption by the system is that if a program is in a authorized library, then it is secure and you the user are not putting malicious code in your authorized libraries.
As long as the initially called program (PGM=pgmname) is authorized and loaded from an authorized library, AND the libraries that all called routines are loaded from are authorized, then everything runs in authorized mode, even if the called routine is not marked AC=1. There are lots of rules around authorization. If you are running with a STEPLIB or JOBLIB, then all libraries in the concatenation must be authorized, otherwise none are considered authorized. Not all libraries in the link list are necessarily authorized, depending on the setting of LNKAUTH in IEASYSxx. In that case, when running with LNKAUTH=APFTAB and you load a routine from a non-authorized library in the linklist you lose authorization, and it will never be turned back on for the duration of the step. Chris Blaicher Principal Software Engineer, Software Development Syncsort Incorporated 50 Tice Boulevard, Woodcliff Lake, NJ 07677 P: 201-930-8260 | M: 512-627-3803 E: [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Charles Mills Sent: Sunday, March 15, 2015 12:04 PM To: [email protected] Subject: Re: APF-authorized calling non-authorized Thanks. In my case the called program is a pre-existing utility that is shipped AC=0 in an APF library. To confirm: there is no integrity issue introduced here, right? The called program will run non-authorized, correct? Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Binyamin Dissen Sent: Sunday, March 15, 2015 8:57 AM To: [email protected] Subject: Re: APF-authorized calling non-authorized On Sun, 15 Mar 2015 06:38:37 -0700 Charles Mills <[email protected]> wrote: :>Am I RTFM correctly? An APF-authorized program may successfully call a :>non-APF-authorized program, provided the called program resides in an :>APF-authorized library? :>The called program need not be AC=0, but its containing load library must be :>in the APF library list. Is that correct? That is the standard way. Only the main program should be marked AC=1 - the subroutines AC=0. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ________________________________ ATTENTION: ----- The information contained in this message (including any files transmitted with this message) may contain proprietary, trade secret or other confidential and/or legally privileged information. Any pricing information contained in this message or in any files transmitted with this message is always confidential and cannot be shared with any third parties without prior written approval from Syncsort. This message is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any use, disclosure, copying or distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and/or Syncsort and destroy all copies of this message in your possession, custody or control. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
