Well, it's been two hours, and no expert has come forth, so I'll take a shot. As TSO normally runs non-authorized, attempting to execute an authorized program would normally fail. TSO can run authorized commands & programs, but it has to do considerable setup for them, to maintain integrity, and actually invoke them in an APF-authorized environment. So the parms are how it knows what it needs to do that for.
There's also the mixed environment of TSO, and authorized programs might need to take extra care to avoid integrity issues that don't apply when running in its own address space. So the AUTH* parms control what programs are (hopefully) known to be safe there. Side note: for this purpose, and most, by TSO I mean the IBM-supplied TMP. You can logon with any proc that executes anything (subject to different controls). In that case none of this applies. As implied above, I am not an expert on this, so it may not be complete or completely accurate. sas On Fri, Nov 15, 2019 at 2:48 PM Paul Gilmartin < [email protected]> wrote: > On Wed, 13 Nov 2019 08:55:39 -0600, Jeffrey Holst wrote: > > >Does AUTHPGM require that the specified program have a non-zero AC or > that it be in an APF authorized library? > > > >I ask because it appears that a very clever user may have written a > program whose name matches a program in the AUTHPGM list. The program > executes a macro instruction that requires APF authorization. It appears > that he was able to successfully call it from TSO. > > > What does AUTHPGM protect, or rather what security hazard does the > absence of a program from the AUTHPGM list specifically prevent? Can > an expert outline a scenario? > > -- gil > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- sas ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
