On Mon, Jun 25, 2018 at 9:11 AM Farley, Peter x23353 < [email protected]> wrote:
> [Slightly OT and very much tongue-in-cheek . . .] > > Why do all the cool things to play with (servers and worker spaces and > TRAP and . . . ) require authorized code? That keeps inquiring minds from > experimenting and learning the cool things on our own (since no one seems > to want to actually pay for learning anything these days). > My UNIX methods don't require APF authorization to fork()/exec() or spawn() a new address space for a different user. It just requires the proper RACF authorization. Which can be very granular, allowing the same code to allow changing to "A" but not to "A1". APF is generally a way to allow advanced facilities because misuse of those facilities can cause a z/OS system failure. And IBM "Statement of Integrity" is the documentation to that effect. https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH&infotype=SA&htmlfid=ZSL03361USEN&attachment=ZSL03361USEN.PDF IBM’s commitment includes design and development practices intended to prevent unauthorized application programs, subsystems, and users from bypassing z/OS security – that is, to prevent them from gaining access, circumventing, disabling, altering, or obtaining control of key z/OS system processes and resources unless allowed by the installation. Specifically, z/OS “System Integrity” is defined as the inability of any program not authorized by a mechanism under the installation’s control to circumvent or disable store or fetch protection, access a resource protected by the z/OS Security Server (RACF® ), or obtain control in an authorized state; that is, in supervisor state, with a protection key less than eight (8), or Authorized Program Facility (APF) authorized. In the event that an IBM System Integrity problem is reported to IBM, IBM will always take action to resolve it in the specified operating environment for releases that have not reached their announced End of Support 1 dates. If you really want to learn z/OS "internals", I think that IBM's solution is (1) have a "sandbox" system where you don't care and so APF authorize just about anything; (2) shell out over USD 5000 / year for a PD&T system; (3) shell out about USD 600 (?) for a z/OS image on the Dallas Innovation Center (ISV only?). ISV's can get the zPDT, which is a slightly different version of the PD&T system. If I'm reading things correctly. I guess "knowledge is power" and you need to pay your power bill. Or some such thing. This is why I run Linux/Intel on an Intel XEON E3 system at home. I have _no_ real support, but full source code and a "do whatever you want -- your gun;your foot" attitude from RedHat (I run Fedora). > > Peter > -- There is no such thing as the Cloud. It is just somebody else’s computer. Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
