On Sun, Sep 17, 2017 at 12:00 AM, IBM-MAIN automatic digest system < lists...@listserv.ua.edu> wrote:
> There are 3 messages totaling 156 lines in this issue. > > Topics of the day: > > 1. STC - APF - confusion (2) > 2. re-Initialize different types of VSAM files > > ---------------------------------------------------------------------- > > Date: Sat, 16 Sep 2017 18:33:17 +0000 > From: scott Ford <idfli...@gmail.com> > Subject: STC - APF - confusion > > All, > > I have a COBOL written STC that is single thread socket server. It receives > messages that are > RACF commands and then calls a module which calls r_ admin. My question is > this, > when I initially started working with this code , it was AC (1) , I didn't > think anything about it. > But we are in the process of building a CI process the the STC main program > was blinded as AC(0). > The client made the RACF call failed Saf=8, RACF=16, RACF-reason-code=8, > 'insufficient authority'. > The calling module was AC(0) also , at this point I knew what it was > re-assembled the called program to be > AC(1) and everything in 'Dodge' was good, it worked. > > > Now the question, I want to run a STC as AC(0) and have the caller as > described above. > I am concerned about the security hole that is open, the call last a few ms > if that. > The second question is about how it works. Since I am dealing with COBOL is > the APF > Arena, does it behave the same ? > > Thanks in advance, > > Scott > -- > Scott Ford > IDMWORKS > z/OS Development > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ------------------------------ > > Date: Sat, 16 Sep 2017 19:43:34 +0000 > From: "Blaicher, Christopher Y." <cblaic...@syncsort.com> > Subject: Re: STC - APF - confusion > > Here it is as simply as I can put it. > > If the first program executed by an EXEC PGM= is AC(1), AND ALL the > STEPLIB libraries, if any, are APF authorized, then all the > branched/LINK/LOAD or ATTACH programs run authorized. If any library in > the STEPLIB concatenation is unauthorized, it is like they were all > unauthorized. > OK. There are always some caveats, so here is the one I remember. If you > LINK/LOAD/ATTACH a program from a library in the LNKLIST and you have only > authorized individual libraries in the list, rather than the whole list, > and you are calling a module in one of those unauthorized libraries, then > your job (and I can't remember which) either becomes unauthorized or it > fails with an abend. > > Now to the second part of your question. It doesn’t matter what language > the program was written in. > > And the third part. If the STC (A) is authorized and listening on a > socket, and another program (B) puts a message on the socket for program A > to do something with it, no problem. A stays authorized and it doesn't > matter what state B is in. > > If the STC (A) is running AC(0) and (B) is authorized and puts something > on the socket, (A) stays unauthorized. > > Remember, authorization occurs at the address space level. And once you > do something to lose authorization, it is gone for good. > > OK, I know there are those of you out there saying you can get it back, > but that involves tricks of the trade that should not be present on a > production or even test machine. Maybe on your private sandbox machine, > but not on a production one. > > Chris Blaicher > Technical Architect > Mainframe Development > P: 201-930-8234 | M: 512-627-3803 > E: cblaic...@syncsort.com > > Syncsort Incorporated > 2 Blue Hill Plaza #1563 > Pearl River, NY 10965 > www.syncsort.com > > Data quality leader Trillium Software is now a part of Syncsort. > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of scott Ford > Sent: Saturday, September 16, 2017 2:33 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: STC - APF - confusion > > All, > > I have a COBOL written STC that is single thread socket server. It > receives messages that are RACF commands and then calls a module which > calls r_ admin. My question is this, when I initially started working with > this code , it was AC (1) , I didn't think anything about it. > But we are in the process of building a CI process the the STC main > program was blinded as AC(0). > The client made the RACF call failed Saf=8, RACF=16, RACF-reason-code=8, > 'insufficient authority'. > The calling module was AC(0) also , at this point I knew what it was > re-assembled the called program to be > AC(1) and everything in 'Dodge' was good, it worked. > > > Now the question, I want to run a STC as AC(0) and have the caller as > described above. > I am concerned about the security hole that is open, the call last a few > ms if that. > The second question is about how it works. Since I am dealing with COBOL > is the APF Arena, does it behave the same ? > > Thanks in advance, > > Scott > -- > Scott Ford > IDMWORKS > z/OS Development > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ________________________________ > > > > ATTENTION: ----- > > The information contained in this message (including any files transmitted > with this message) may contain proprietary, trade secret or other > confidential and/or legally privileged information. Any pricing information > contained in this message or in any files transmitted with this message is > always confidential and cannot be shared with any third parties without > prior written approval from Syncsort. This message is intended to be read > only by the individual or entity to whom it is addressed or by their > designee. If the reader of this message is not the intended recipient, you > are on notice that any use, disclosure, copying or distribution of this > message, in any form, is strictly prohibited. If you have received this > message in error, please immediately notify the sender and/or Syncsort and > destroy all copies of this message in your possession, custody or control. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ------------------------------ > > Date: Sat, 16 Sep 2017 22:47:40 -0500 > From: Donald Likens <dlik...@infosecinc.com> > Subject: re-Initialize different types of VSAM files > > This is for MQ but really not related. MQ has a number of VSAM files. I > need to make these files empty for an upgrade so I can reformat them. I > want to do this without deleting and reallocating them. These are linear > and KSDS VSAM files. I tried allocating a new Linear VSAM file and REPROing > it over... Did not work. I tried reproing an empty non-vsam file over... It > did not work. > > I don't have a utility that will edit VSAM anyhow some are very big. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ------------------------------ > > End of IBM-MAIN Digest - 15 Sep 2017 to 16 Sep 2017 (#2017-259) > *************************************************************** > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN