A few points. -- No program can run APF (authorized) if it's fetched from a library that itself is not named in the PARMLIB APF list, nor if the containing library is concatenated with even a single non-APF library--which renders the entire concatenation non-APF.
-- Furthermore, the initial program, if fetched in a TSO address space, must be named in the IKJTSOxx member of PARMLIB. There are some specific abends for violating these rules. -- ABEND S306 for attempting to fetch a module from a non-APF library while running APF authorized. -- ABEND S047 for attempting to execute an APF-defined function when not running APF authorized. The most notorious such function is entering Supervisor State or a protect key other than 8. IBM will happily (!) take an APAR for a circumstance that violates APF protection. Marking a module AC(1) is required only for the first module in a call sequence, the but APF-residence rule applies to every subsequent module in the call sequence. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Paul Gilmartin Sent: Friday, November 15, 2019 11:48 AM To: [email protected] Subject: (External):Re: AUTHPGM in IKJTSOxx On Wed, 13 Nov 2019 08:55:39 -0600, Jeffrey Holst wrote: >Does AUTHPGM require that the specified program have a non-zero AC or that it >be in an APF authorized library? > >I ask because it appears that a very clever user may have written a program >whose name matches a program in the AUTHPGM list. The program executes a macro >instruction that requires APF authorization. It appears that he was able to >successfully call it from TSO. > What does AUTHPGM protect, or rather what security hazard does the absence of a program from the AUTHPGM list specifically prevent? Can an expert outline a scenario? -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
