One consequence of 'APF inheritance' is that sometimes a whole product gets sucked in. For example, CPCS did a lot of software sorting, so the corporate sort product had to be authorized. Maybe not such a big deal, but sort products end to have exit points (E15, etc.) that could potentially be hijacked to do mischief. I would like to think that by now most of these problems have designed out...
. . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Charles Mills Sent: Monday, July 16, 2018 9:51 AM To: [email protected] Subject: (External):Re: Linklist and APF > even programs marked AC=0 but called in that fashion will run > authorized It is the jobstep that is APF-authorized. Any code in the address space, no matter how it got there*, will effectively "run authorized." *Yes, I know there are restrictions on how you can get code there**, but having gotten it there, no matter how you got it there, it will "run authorized." **No fetches from unauthorized libraries, for example. But you could build machine code yourself in a GETMAIN area and it will "run authorized." No AC=anything at all. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Paul Gilmartin Sent: Monday, July 16, 2018 9:33 AM To: [email protected] Subject: Re: Linklist and APF On Mon, 16 Jul 2018 16:07:38 +0000, Jesse 1 Robinson wrote: >The shop I worked in was a bank that ran IBM's CPCS check processing software. >I don't know why, but the main CPCS task had to run APF and required that all >called programs also come from APF libraries. Even the most ho-hum benign >programs. > Well, yes , but even programs marked AC=0 but called in that fashion will run authorized and must be subject to the same security scrutiny as the parent. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
