And does the new interface in OA48124 allow a supervisor mode program to turn off the bypass, or does it need to switch to problem state if it wants SAF checking on the VSAM OPEN?
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Clark Morris <[email protected]> Sent: Thursday, July 26, 2018 9:13 PM To: [email protected] Subject: Re: A curiosity Question [Default] On 26 Jul 2018 16:54:23 -0700, in bit.listserv.ibm-main [email protected] (Walt Farrell) wrote: >On Thu, 26 Jul 2018 09:54:48 -0500, Tom Marchant <[email protected]> >wrote: > >>On Thu, 26 Jul 2018 07:50:04 -0500, Walt Farrell wrote: >> >>>On Tue, 24 Jul 2018 15:08:51 +0000, Seymour J Metz wrote: >>> >>>>Neither APF authorization nor supervisor state suspend normal SAF >>>>processing for, e.g., OPEN. If you know of a privileged application >that >>>>bypasses normal resource controls and does not require SAF authorization >>>>before doing so, then it's APAR time. >>> >>>I believe there is one exception to that, unless the behavior has been >>>changed in the past few years: as I recall, OPEN for a >>>VSAM file will bypass security checking if the issuer of OPEN is running in >>>supervisor state. I think it's documented (briefly) >>>deep in some manual, but I forget which one. >> >>See the last sentence: >>https://secure-web.cisco.com/1xJWCeiFyNOofavmdTpryQCwlqj7yAIgmZFpF5O4CICnch8KApVMcszC3CywQlgpuCGyBIkx-O2ef9by7pUDOra7IMa9FWXhP0it1R8VLiY67mlmWzwSZ2q3uX9nWezqNURN-f_bcj8wNnz2xEZ74EUMymaFhOYS7gcOSgAOLIl71vsI26gteZdwFi7sfkVKsR03456euyb0H2qGjBVgszAr2XPi0HTYMxgMvVxzuqYhqs2LU6l4SopLvRkK_F_321v_Zxvr4lOI-yL0rxWGeB8tQLmgjl5d1r-u315Du4aIktrInSdZCWHdXeGA_pCH8rwqXRXnySU_G88NO7cLcUQFml0mFJlq_JAOACMLwTW86qikc37IDoyz-NH-7FleFIVCCm4cl2spoSPv7reONVaWnGHyZNhkdQ0DcVdojtZ5wxcBhHMUw2AG3BPlV_y2F/https%3A%2F%2Fwww.ibm.com%2Fsupport%2Fknowledgecenter%2FSSLTBW_2.3.0%2Fcom.ibm.zos.v2r3.idad400%2Fods.htm >> >>"Note: RACF protection supersedes password protection for a data set. RACF >>checking is bypassed for a caller that is in supervisor state or key 0." >> > >Thanks, Tom. And, note, for those who may not follow the link, that that >statement is for VSAM only. Why would they exclude only VSAM from checking? Is it because of Page Datasets or some other reason? Are there other ways of bypassing or ignoring checking for supervisor and key zero code? Clark Morris ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
