On Sun, 15 Mar 2015 13:40:54 -0400, Shmuel Metz (Seymour J.) wrote: > on 03/15/2015 at 06:43 PM, Binyamin Dissen said: > >>Since it is placed in an APF library, the installation (or IBM) >>has declared that it will not create an exposure. > >Not even close. All that IBM has declared is that none of the AC(1) >routines will call anything that cannot safely run authorized. An >AC(0) routine in an authorized library that is never called from an >AC(1) routine does not create a security exposure. IB< has declared >that if you write an AC(1) routine it is your responsibility to only >call things that you know are safe. > More precisely, I believe that it is the responsibility of an AC(1) routine to call an AC(0) routine only in a fashion known to be safe. For example, if the caller passes the address of a reply buffer, that buffer must not overlay storage in a way that threatens integrity. It is the responsibility of an AC(0) routine residing in an authorized library, then, to perform only documented actions, lest no side effect threatens system integrity.
It is widely suspected that this requirement is the basis for the five-year old rule that a high level of RACF authorization is needed to use SMP/E: SMP/E, AC(1) in an authorized library, invokes many utilities (in fact selectable by the programmer) marked AC(0). It's unrealistic to expect SMP/E to ensure the integrity of everything it calls, so the responsibility (or at least any blame) is shifted to the programmer using SMP/E. Is the name of subroutine "Y" hardcoded in Charles's "X", or is the end user of "X" allowed to select "Y" as a parameter? Naive design of z/OS -- it would be better if such utilities could be invoked in a fenced environment, such as a separate address space, so they could do no harm. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
