And there’s more on the authorized side: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.ieaa100/iea3a1_Description17.htm
Minimum authorization: Problem state and any PSW key. For the ADD, DELETE requests: RACF® UPDATE authority to the FACILITY class entity CSVAPF.libname. For a DYNFORMAT request: RACF authority to the FACILITY class entity CSVAPF.MVS.SETPROG.FORMAT.DYNAMIC. If no RACF profile is defined or RACF is not available, one of the following: * Supervisor state * PSW key 0-7 * PKM allowing key 0-7 * APF-authorized zLeo On Nov 15, 2019, at 8:02 PM, Charles Mills <[email protected]> wrote: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.ieaa700/iea3a7_CSVAPF_____Query_the_list_of_APF-authorized_libraries.htm Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Jesse 1 Robinson Sent: Friday, November 15, 2019 4:45 PM To: [email protected] Subject: Re: AUTHPGM in IKJTSOxx CSVAPF may be a user defined resource, as we have nothing like that in our (RACF) shop. In any case, resource profiles that control the ability to run anything APF authorized must be tightly controlled. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Leonardo Vaz Sent: Friday, November 15, 2019 3:10 PM To: [email protected] Subject: (External):Re: AUTHPGM in IKJTSOxx I would just rather not have my cat skinned in the first place :) CSVAPF could be executed from a non-authorized with access to CSVAPF facility class I believe, I’ve seen that with universal access before. Of course, we have to make sure all those are secured but it’s not completely trivial, as we can see per the Original post Regards Leo On Nov 15, 2019, at 5:43 PM, Jesse 1 Robinson <[email protected]> wrote: Thanks for the clarification. Yes, SYS1.LPALIB is automatically APF authorized. I believe that the whole PLPA is APF as well, although we seem to name all the other LPALIBs explicitly. I'm sure that the CSVAPF macro requires APF to execute. The entire linklist is APF only if that parameter is coded in PARMLIB, otherwise each module is evaluated according to its origin. The SETPROG command could make any library APF; it's up to the installation to protect that command. The USS case I've not explored, but again it looks like SAF authorization to a BPX resource is required. As is so often the case, there are many ways to skin a cat, but I'm convinced that the result is all the same for the cat. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Leonardo Vaz Sent: Friday, November 15, 2019 2:12 PM To: [email protected] Subject: (External):Re: AUTHPGM in IKJTSOxx The first statement is not completely true, you can have an APF authorized USS file (just by doing extattr +a with access to BPX.FILEATTR.APF), it could also be in the LPA where I believe all modules are loaded authorized or even in the linklist with the parameter that defines that linklist libraries are authorized, it could even have been added dynamically via CSVAPF macro or system command, not necessarily it has to be in the PARMLIB APF list. Just thought it was worth to mention. Regards, Leo -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Jesse 1 Robinson Sent: Friday, November 15, 2019 4:45 PM To: [email protected] Subject: Re: AUTHPGM in IKJTSOxx A few points. -- No program can run APF (authorized) if it's fetched from a library that itself is not named in the PARMLIB APF list, nor if the containing library is concatenated with even a single non-APF library--which renders the entire concatenation non-APF. -- Furthermore, the initial program, if fetched in a TSO address space, must be named in the IKJTSOxx member of PARMLIB. There are some specific abends for violating these rules. -- ABEND S306 for attempting to fetch a module from a non-APF library while running APF authorized. -- ABEND S047 for attempting to execute an APF-defined function when not running APF authorized. The most notorious such function is entering Supervisor State or a protect key other than 8. IBM will happily (!) take an APAR for a circumstance that violates APF protection. Marking a module AC(1) is required only for the first module in a call sequence, the but APF-residence rule applies to every subsequent module in the call sequence. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Paul Gilmartin Sent: Friday, November 15, 2019 11:48 AM To: [email protected] Subject: (External):Re: AUTHPGM in IKJTSOxx On Wed, 13 Nov 2019 08:55:39 -0600, Jeffrey Holst wrote: Does AUTHPGM require that the specified program have a non-zero AC or that it be in an APF authorized library? I ask because it appears that a very clever user may have written a program whose name matches a program in the AUTHPGM list. The program executes a macro instruction that requires APF authorization. It appears that he was able to successfully call it from TSO. What does AUTHPGM protect, or rather what security hazard does the absence of a program from the AUTHPGM list specifically prevent? Can an expert outline a scenario? -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
