On Saturday, November 2, 2019, 07:35:08 PM PDT, Paul Gilmartin wrote: >> Sorry. I forgot to say EXEC PGM=AOPBATCH is safe.
> That might be true if AOPBATCH were installed with AC=0 in an authorized > library. AOPBATCH and COZBATCH must be linked AC=0 because the shell runs in problem state. >>> How does the exposure compare with BPX1SPN BPX_SHAREAS=MUST /bin/sh? >> It's been a long time. If I remember correctly, it has the exposure. >> What makes this acceptable is that you know there are risks but willing to >> accept those risks. > How does this interact with the z/OS Statement of Integrity? The ISPF case I mentioned has nothing to do with bypassing security or gaining authorized state. The exposures I mentioned occur simply because of the shared address space. , > If an ISPF macro invokes BPX1SPN BPX_SHAREAS=MUST /bin/sh, > only IBM code is involved and SoI applies. SoI has no "willing > to accept" loophole. .I don't understand your point here. If your code (or macro) specifies shared address space, the exposure is your responsibility. You need to fully understand shared address space concept if you are going to use it. > Is AOPBATCH an IBM product? If not, SoI applies if it's installed > only in non-authorized libraries. AOP product has something to do with printing. AOPBATCH is a utility for AOP. Shared address has nothing to do with authorized / non-authorized. As for SOL, running shared address spaces gives you access to the those features but at some risk. It has nothing to do with IBM. > COZBATCH is not an IBM product so SoI applies if it's installed > only in non-authorized libraries. See previous comment. Jon. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
