If the exits are in a non-APF library then the concatenation will not be authorized. If the exits are in an authorized library and have not been audited, it's not my dog.
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Jesse 1 Robinson <[email protected]> Sent: Monday, July 16, 2018 6:25 PM To: [email protected] Subject: Re: Linklist and APF One consequence of 'APF inheritance' is that sometimes a whole product gets sucked in. For example, CPCS did a lot of software sorting, so the corporate sort product had to be authorized. Maybe not such a big deal, but sort products end to have exit points (E15, etc.) that could potentially be hijacked to do mischief. I would like to think that by now most of these problems have designed out... . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Charles Mills Sent: Monday, July 16, 2018 9:51 AM To: [email protected] Subject: (External):Re: Linklist and APF > even programs marked AC=0 but called in that fashion will run > authorized It is the jobstep that is APF-authorized. Any code in the address space, no matter how it got there*, will effectively "run authorized." *Yes, I know there are restrictions on how you can get code there**, but having gotten it there, no matter how you got it there, it will "run authorized." **No fetches from unauthorized libraries, for example. But you could build machine code yourself in a GETMAIN area and it will "run authorized." No AC=anything at all. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Paul Gilmartin Sent: Monday, July 16, 2018 9:33 AM To: [email protected] Subject: Re: Linklist and APF On Mon, 16 Jul 2018 16:07:38 +0000, Jesse 1 Robinson wrote: >The shop I worked in was a bank that ran IBM's CPCS check processing software. >I don't know why, but the main CPCS task had to run APF and required that all >called programs also come from APF libraries. Even the most ho-hum benign >programs. > Well, yes , but even programs marked AC=0 but called in that fashion will run authorized and must be subject to the same security scrutiny as the parent. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
