Here it is as simply as I can put it. If the first program executed by an EXEC PGM= is AC(1), AND ALL the STEPLIB libraries, if any, are APF authorized, then all the branched/LINK/LOAD or ATTACH programs run authorized. If any library in the STEPLIB concatenation is unauthorized, it is like they were all unauthorized. OK. There are always some caveats, so here is the one I remember. If you LINK/LOAD/ATTACH a program from a library in the LNKLIST and you have only authorized individual libraries in the list, rather than the whole list, and you are calling a module in one of those unauthorized libraries, then your job (and I can't remember which) either becomes unauthorized or it fails with an abend.
Now to the second part of your question. It doesn’t matter what language the program was written in. And the third part. If the STC (A) is authorized and listening on a socket, and another program (B) puts a message on the socket for program A to do something with it, no problem. A stays authorized and it doesn't matter what state B is in. If the STC (A) is running AC(0) and (B) is authorized and puts something on the socket, (A) stays unauthorized. Remember, authorization occurs at the address space level. And once you do something to lose authorization, it is gone for good. OK, I know there are those of you out there saying you can get it back, but that involves tricks of the trade that should not be present on a production or even test machine. Maybe on your private sandbox machine, but not on a production one. Chris Blaicher Technical Architect Mainframe Development P: 201-930-8234 | M: 512-627-3803 E: [email protected] Syncsort Incorporated 2 Blue Hill Plaza #1563 Pearl River, NY 10965 www.syncsort.com Data quality leader Trillium Software is now a part of Syncsort. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of scott Ford Sent: Saturday, September 16, 2017 2:33 PM To: [email protected] Subject: STC - APF - confusion All, I have a COBOL written STC that is single thread socket server. It receives messages that are RACF commands and then calls a module which calls r_ admin. My question is this, when I initially started working with this code , it was AC (1) , I didn't think anything about it. But we are in the process of building a CI process the the STC main program was blinded as AC(0). The client made the RACF call failed Saf=8, RACF=16, RACF-reason-code=8, 'insufficient authority'. The calling module was AC(0) also , at this point I knew what it was re-assembled the called program to be AC(1) and everything in 'Dodge' was good, it worked. Now the question, I want to run a STC as AC(0) and have the caller as described above. I am concerned about the security hole that is open, the call last a few ms if that. The second question is about how it works. Since I am dealing with COBOL is the APF Arena, does it behave the same ? Thanks in advance, Scott -- Scott Ford IDMWORKS z/OS Development ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ________________________________ ATTENTION: ----- The information contained in this message (including any files transmitted with this message) may contain proprietary, trade secret or other confidential and/or legally privileged information. Any pricing information contained in this message or in any files transmitted with this message is always confidential and cannot be shared with any third parties without prior written approval from Syncsort. This message is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any use, disclosure, copying or distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and/or Syncsort and destroy all copies of this message in your possession, custody or control. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
