Edward Gould <mailto:[email protected]>
October 30, 2017 at 2:26 PM
Semi on topic.
Have any of you seen the “video” that claims that they can bypass
system integrity with one program?
I saw one such presentation and asked the golden question about update
access to an APF library.
They never got around to answering my question.
BTW: IIRC it was some dog and pony show to sell you security. Its been
a couple of months and I just don’t remember the name.
Ed
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
Please be alert for any emails that may ask you for login information
or directs you to login via a link. If you believe this message is a
phish or aren't sure whether this message is trustworthy, please send
the original message as an attachment to '[email protected]'.
Steve Smith <mailto:[email protected]>
October 30, 2017 at 10:15 AM
There is no need here to document the exact methods the OP used to
bypass restrictions and violate system integrity. It's not hard to
figure out if you have much experience.
Given access to an APF-authorized library, one can do whatever one
wants, regardless of the "rules".
sas
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
Please be alert for any emails that may ask you for login information
or directs you to login via a link. If you believe this message is a
phish or aren't sure whether this message is trustworthy, please send
the original message as an attachment to '[email protected]'.
Peter Hunkeler <mailto:[email protected]>
October 30, 2017 at 2:53 AM
The TSO TMP is designed to be attached only by EXEC PGM=IKJEFTxx, or by the
TSO/E Session Manager (when Session Manager is the EXEC PGM= on the logon
proc). Attaching the TMP by any other program is unsupported.
Attaching the TMP in an IMS dependent region or a CICS AOR will violate the
System Integrity and thus the security of your system, since it will allow the
unauthorized transaction programs in those regions to take over the system in
anyway that they desire.
This raises the question then, why does IKJEFTxx *not* check this and fail if
not run as job step task?
Because it requires APF to invoke the TMP. And if you allow your CICS or IMS to
run APF, this is the least of your problems.
In the first paragraph, there is no talk about APF. When it comes to running
things with APF when they should not, I fully agree.
I understand the comment to say that running PGM A via EXEC PGM=A, and then PGM
A attaches or links to IKJEFTxx, this is not supported. If this means that
things may not work as expected, there is no support. If this means that things
may not work as expected *and* things may endanger system integrity, then I
think it should not be possible to get into that situation (as unauthorized
program).
But, even if the region controllers in IMS and CICS run authorized (I guess
they do), they are designed to run application (transaction) programs with only
problem state authority. Why would the TMP be attached in a different mode it
run as transaction program?
--
Peter Hunkeler
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
Please be alert for any emails that may ask you for login information or
directs you to login via a link. If you believe this message is a phish or
aren't sure whether this message is trustworthy, please send the original
message as an attachment to '[email protected]'.
Binyamin Dissen <mailto:[email protected]>
October 29, 2017 at 3:07 PM
On Sun, 29 Oct 2017 16:00:20 +0100 Peter Hunkeler <[email protected]> wrote:
:>>The TSO TMP is designed to be attached only by EXEC PGM=IKJEFTxx,
or by the TSO/E Session Manager (when Session Manager is the EXEC PGM=
on the logon proc). Attaching the TMP by any other program is unsupported.
:>>Attaching the TMP in an IMS dependent region or a CICS AOR will
violate the System Integrity and thus the security of your system,
since it will allow the unauthorized transaction programs in those
regions to take over the system in anyway that they desire.
:>This raises the question then, why does IKJEFTxx *not* check this
and fail if not run as job step task?
Because it requires APF to invoke the TMP. And if you allow your CICS
or IMS
to run APF, this is the least of your problems.
MVS provides the child hammer for non-APF and the real hammer for APF. You
want to use it on your toes, go ahead.
--
Binyamin Dissen <[email protected]>
http://www.dissensoftware.com
<http://www.dissensoftware.com>
Director, Dissen Software, Bar & Grill - Israel
Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com
<http://dissensoftware.com>
domain.
I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
Please be alert for any emails that may ask you for login information
or directs you to login via a link. If you believe this message is a
phish or aren't sure whether this message is trustworthy, please send
the original message as an attachment to '[email protected]'.
Peter Hunkeler <mailto:[email protected]>
October 29, 2017 at 11:00 AM
The TSO TMP is designed to be attached only by EXEC PGM=IKJEFTxx, or by the
TSO/E Session Manager (when Session Manager is the EXEC PGM= on the logon
proc). Attaching the TMP by any other program is unsupported.
Attaching the TMP in an IMS dependent region or a CICS AOR will violate the
System Integrity and thus the security of your system, since it will allow the
unauthorized transaction programs in those regions to take over the system in
anyway that they desire.
This raises the question then, why does IKJEFTxx *not* check this and fail if
not run as job step task?
--
Peter Hunkeler
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
Please be alert for any emails that may ask you for login information or
directs you to login via a link. If you believe this message is a phish or
aren't sure whether this message is trustworthy, please send the original
message as an attachment to '[email protected]'.
