On Fri, 29 Apr 2016 07:15:09 -0400, Robert S. Hansel (RSH) <[email protected]> wrote:
>(Cross-posting to RACF-L) > >Mark, > > >If this works as per my interpretation, then I think the concerns raised by >others are > valid. If I can create an alias with a name to which I have access that > points to a dataset > to which I do not have access, I've now circumvented access controls for the > latter. Unless my testing is invalid, I've already confirmed this is NOT true. The real data set name is checked for access as well. I wouldn't have thought IBM could be that inept to do something like that and create the biggest security hole ever seen on this platform (at least that I could recall)! Especially in the service stream. Best regards, Mark -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS ITIL v3 Foundation Certified mailto:[email protected] Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://search390.techtarget.com/ateExperts/ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
