The situation would be that the client routes a command to the server on the host which routes it to a dependent ASID. The DA gets the ACEE of the user and executes the command via IJKEFTSR. The command is one of a suite of Rexx execs in a library allocated to the DA which executes ISPF services (eg, to copy some members). Without wilful collaboration of a sysprog I am struggling to see how this could be subverted by a malicious user. However, if you can see something please let me know!
Thanks Robin -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Tom Marchant Sent: 19 May 2017 01:47 To: [email protected] Subject: Re: ATTACH with RSAPF=YES On Thu, 18 May 2017 08:09:03 -0700, Charles Mills wrote: >I hope you are getting the idea how risky this entire approach is. You >are playing "you bet your mainframe." You might get it right today.... And if you don't get it right, you might discover that, or you might not. It is very difficult to demonstrate that you have not created an integrity exposure. -- Tom Marchant ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
