On 9/22/2017 4:19 PM, Rob Schramm wrote:
Possible is in the eye of the coder. Most everything "can" be done.
Whether it is a good idea or not is another discussion ( i.e. Walt's
comment ).
I can break MVS integrity, security etc etc. Just look at
www.krisecurity.com for examples found on how to break integrity. There
are loads of ways to do it.
I can't help but agree with Walt that without very careful consideration,
dynamic STEPLIBs might be a terrible thing.
Rob
On Fri, Sep 22, 2017 at 4:11 PM Blaicher, Christopher Y. <
[email protected]> wrote:
I think you are a little off. A static concatenation cannot result in a
mix of authorized and unauthorized libraries and the program running
authorized.
Contents supervisor, when it goes to load the first module from EXEC PGM=
checks the JOBLIB or STEPLIB for all libraries to be authorized, else the
program while still being loaded will not run authorized. If the program
is being loaded from the LINKLST, it checks that the library it is being
loaded from is authorized, otherwise it once again runs as unauthorized.
If at some later point a load of a module from a library in the LINKLST
that is not authorized, or a directed LOAD/LINK/ATTACH/XCTL with a
non-authorized library specified, will result in an ABEND.
I hope the writers of the STEPLIB concatenation routine were through
enough to check the current authorization status of the job step and, if it
is running authorized, validated that the library being added is also
authorized. Otherwise the concatenation should fail.
If your shop has this function, I would verify that you cannot add an
unauthorized library to a STEPLIB or JOBLIB. If you can, you have just
left a hole the size of the Lincoln Tunnel in your system.
Chris Blaicher
Technical Architect
Mainframe Development
P: 201-930-8234 <(201)%20930-8234> | M: 512-627-3803 <(512)%20627-3803>
E: [email protected]
Syncsort Incorporated
2 Blue Hill Plaza #1563
Pearl River, NY 10965
www.syncsort.com
Dynamic STEPLIB is designed to run under TSO. It provides the ability
to satisfy CALL/LINK/ATTACH modules in ISPF for testing, multiple
releases, etc. Some ill-behaved ISPF apps don't use SELECT PGM, so they
have to be available in the standard search order. Nice apps like QMF
provide a DD like DSQLLIB and then load from there. For those that
don't, we need Dynamic STEPLIB. APF authorization should not be an
issue, because if you trying to run TSO authorized, you've already lost.
Regards,
Tom Conley
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
