Attaching the TMP from an unauthorized program will simply not work, with no system integrity exposure. The TMP will fail when it tries to do something which requires authorization, and that would be the case if someone tried to attach the TMP from an unauthorized CICS or IMS transaction program.
Jim Mulder z/OS Diagnosis, Design, Development, Test IBM Corp. Poughkeepsie NY IBM Mainframe Discussion List <[email protected]> wrote on 10/30/2017 02:53:00 AM: > >>>The TSO TMP is designed to be attached only by EXEC PGM=IKJEFTxx, > or by the TSO/E Session Manager (when Session Manager is the EXEC > PGM= on the logon proc). Attaching the TMP by any other program is > unsupported. > > >>>Attaching the TMP in an IMS dependent region or a CICS AOR will > violate the System Integrity and thus the security of your system, > since it will allow the unauthorized transaction programs in those > regions to take over the system in anyway that they desire. > > >>This raises the question then, why does IKJEFTxx *not* check this > and fail if not run as job step task? > > >Because it requires APF to invoke the TMP. And if you allow your > CICS or IMS to run APF, this is the least of your problems. > > In the first paragraph, there is no talk about APF. When it comes to > running things with APF when they should not, I fully agree. > I understand the comment to say that running PGM A via EXEC PGM=A, > and then PGM A attaches or links to IKJEFTxx, this is not supported. > If this means that things may not work as expected, there is no > support. If this means that things may not work as expected *and* > things may endanger system integrity, then I think it should not be > possible to get into that situation (as unauthorized program). > > > But, even if the region controllers in IMS and CICS run authorized > (I guess they do), they are designed to run application > (transaction) programs with only problem state authority. Why would > the TMP be attached in a different mode it run as transaction program? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
