I think you are a little off. A static concatenation cannot result in a mix of authorized and unauthorized libraries and the program running authorized.
Contents supervisor, when it goes to load the first module from EXEC PGM= checks the JOBLIB or STEPLIB for all libraries to be authorized, else the program while still being loaded will not run authorized. If the program is being loaded from the LINKLST, it checks that the library it is being loaded from is authorized, otherwise it once again runs as unauthorized. If at some later point a load of a module from a library in the LINKLST that is not authorized, or a directed LOAD/LINK/ATTACH/XCTL with a non-authorized library specified, will result in an ABEND. I hope the writers of the STEPLIB concatenation routine were through enough to check the current authorization status of the job step and, if it is running authorized, validated that the library being added is also authorized. Otherwise the concatenation should fail. If your shop has this function, I would verify that you cannot add an unauthorized library to a STEPLIB or JOBLIB. If you can, you have just left a hole the size of the Lincoln Tunnel in your system. Chris Blaicher Technical Architect Mainframe Development P: 201-930-8234 | M: 512-627-3803 E: [email protected] Syncsort Incorporated 2 Blue Hill Plaza #1563 Pearl River, NY 10965 www.syncsort.com Data quality leader Trillium Software is now a part of Syncsort. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of David W Noon Sent: Friday, September 22, 2017 3:53 PM To: [email protected] Subject: Re: Dynamic Steplib and z/OS 2.3? On Fri, 22 Sep 2017 13:14:52 -0500, Walt Farrell ([email protected]) wrote about "Re: Dynamic Steplib and z/OS 2.3?" (in <[email protected]>): > On Fri, 22 Sep 2017 10:40:59 -0500, Paul Gilmartin <[email protected]> > wrote: > >> Dynamic STEPLIB has been discussed in these fora so often that I >> suspect it's the subject of numerous RFEs. I suspect there are >> technical reasons that IBM has not rushed to provide the function. >> Is the design of OS/360 such that any dynamic STEPLIB would be >> incomplete or have unintended consequences? > > Any dynamic STEPLIB functionality introduces potential System > Integrity> exposures, because some parts (modules) of a program may > have been loaded> from one library and others from a different, incompatible library. Such an exposure can just as easily occur from a static concatenation for STEPLIB/JOBLIB, so allowing dynamic allocation is not a significant increase in such exposure. It is up to the site's programmers to ensure that the load libraries in use in a job step are mutually compatible. -- Regards, Dave [RLU #314465] *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* [email protected] (David W Noon) *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ________________________________ ATTENTION: ----- The information contained in this message (including any files transmitted with this message) may contain proprietary, trade secret or other confidential and/or legally privileged information. Any pricing information contained in this message or in any files transmitted with this message is always confidential and cannot be shared with any third parties without prior written approval from Syncsort. This message is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any use, disclosure, copying or distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and/or Syncsort and destroy all copies of this message in your possession, custody or control. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
