On Sun, 15 Mar 2015 12:58:24 -0700, Charles Mills <[email protected]> wrote:
>Agree with Gil's last comment 100%. Or give me an option: program Y does not >need authorization any more than it would if called natively. Why can't I have >the option to LINK to it APF=NO? > >FWIW, 'Y' will be hard-coded, and the user does not pass addresses, only >character strings, which I pass unmodified to Y. > I'm afraid that's not necessarily good enough, Charles. Some of the issues alluded to with SMP/E and security elsewhere in this thread (and at long length earlier in the IBM-MAIN archives) involved situations where the user supplies character string parameters or control statements to non-APF utilities invoked by the APF-authorized SMP/E. It really comes down to knowing what the utility is that you're invoking, and what kind of parameters and control statements it will process, before you can know if it's safe. -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
