Lots of folks replied to this to tell me how to do the same thing more securely, and I'll save those up and read them if and when my management provides any encouragement for any rewriting at all to those transactions. What I was really looking for, though, was ammunition to hand to management: "We need to fix this because here's what could happen". FTP is one, and I should have thought of it because I've used FTP to submit jobs myself.
It's a TSS shop, not RACF, but that makes no never-mind; I'll go find out how many of the folks who can run these batch jobs also have TSO and/or a UID. I don't know much about SSH or Telnet - hardly anything about them, in fact. Is it worth asking for details? --- Bob Bridges, [email protected], cell 336 382-7313 /* Every now and then go away, have a little relaxation, for when you come back to your work your judgment will be surer. Go some distance away because then the work appears smaller and more of it can be taken in at a glance and a lack of harmony and proportion is more readily seen. -Leonardo Da Vinci */ -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of John McKown Sent: Wednesday, September 4, 2019 14:18 Possibly via FTP using the QUOTE SITE FILETYPE=JES followed by a PUT of the file containing the JCL. Less likely is the ability to use TELNET or SSH to get a UNIX prompt. But you need to check to see if the RACF profiles. --- On Wed, Sep 4, 2019 at 1:06 PM Bob Bridges <[email protected]> wrote: > Not sure where to ask this, but I've wondered about it off and on for a > while and it's past time I asked. I'm responsible for security at a > mainframe shop where they use a lot of CICS. There are CICS transactions > that fire off batch jobs; the way this place handles it is to submit the > job under the authority of the CICS region ID (USER=<region> on the JOB > card), and give each user of such a transaction the necessary authority. > > This gives me the screaming heeby-jeebies, but when I complain about it I > get little support back. The problem, of course, is that if I'm authorized > to submit jobs with USER=<region> on the JOB card then I can submit ~any~ > such job, to do anything I want that the region can do. (And of course any > installation that's careless about letting folks have that authority is > even more careless about what their CICS regions can do.) > > One argument management offers in mitigation is that most of these CICS > users don't have TSO, so they haven't the ability to submit batch jobs. > Off-hand I can't contradict them, but I'm skeptical. I'm thinking there's > probably a way and I just don't know about it. Can anyone confirm? If I > were a CICS user without the ability to log on to TSO, could I still submit > a batch job somehow? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
