On Mon, 16 Mar 2015 08:33:31 -0700, Charles Mills <[email protected]> wrote:
>Walt, not sure how your first paragraph invalidates my request or suggestion. > >If an authorized program had the option to run a "sub-task" (in a very >generic, non-MVS sense of the word task) non-authorized, how >would doing so then present any more risk than if the user had simply >submitted the "sub-task" as a job of its own, assuming the >authorized software was not doing something egregiously stupid like passing a >password in plaintext form or something like that. My response was in regard to the second paragraph I quoted, not the first one. Sorry for the confusion. I think someone else addressed that part of your question, but it comes down to the difficulty of protecting two programs from each other when they run in the same address space. For example, your APF program probably started with save areas allocated by the system in key 8. If it invokes a malicious second program that happens to run in an APF library, then that program can modify any key 8 storage you allocated, or the system allocated for you, even if that second program is somehow running without APF-authorization. And if that happens, all bets are off and you can't predict what might happen. True, you should not have any malicious programs in an APF-authorized library, and perhaps (or even probably) you don't. But how about a malicious user who finds a way to exploit something a non-malicious program does, if that program is invoked while running authorized. If you could tell us more about what your APF-authorized program really needs to do, then other recommendations might be possible. Other than that, I would probably go along with whoever suggested putting the authorized stuff into a PC routine. Your authorized program could create the PC routine, then completely give up authorization, then invoke the utility program, and finally invoke the PC to do the final bit of authorized processing. > >With regard to the second paragraph, how do I *know* that an IBM-supplied >program is safe, other than by inspecting the source >code or trusting that IBM would not ship something with security flaws? The >former is not an option and the latter is kind of >problematic given that people don't seem to agree on whether "without security >flaws" should include the caveat that "if IBM didn't >ship it AC=1, they are not claiming it is safe to run it authorized (as a >"sub-task")." That's the difficult part. To be fully safe, without either having access to the program source or trusting IBM, you won't invoke that program while you're running authorized. Instead, you'll design a different solution. (On the other hand, I do not recall you telling us which program you intend to invoke. Again, with more information, more recommendations may be possible, including people telling you whether they know of any flaws with your plan.) Note, by the way, that IBM has never promised not to ship something with security flaws. They just commit to accept an APAR report if someone does find a security or system integrity flaw. -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
