I thought I was done with this thread, but today a new gotcha popped up. On one system, we ran out of local page space. We could log on (TSO) but could not start any task or submit any job. To avoid IPL, we needed to create another local page data set. Back in the halcyon days, if you're old enough to remember--and young enough to remember--we could use STEPCAT or JOBCAT to create page space on an adjacent system. Both of those options are long gone. Since we could logon to the depleted system, we tried using TSO DEF PAGESPACE. On the problem system, we got S338 abend. On another system, however, the command worked just fine. The actual solution was long and tortuous and not to be undertaken lightly.
Afterwards, we looked in IKJTSO00. On the system where DEFINE worked, we found AUTHCMD NAMES( /* AUTHORIZED COMMANDS */ + DEFINE /* FOR AUTH AMS SVCS */ + Looks like an oversight, but in neither system did CPAC parmlib contain that line. So it may not be safe after all, but the solution undertaken is hardly safe either. It was do that or IPL. Advice? . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Seymour J Metz Sent: Wednesday, November 27, 2019 9:36 AM To: [email protected] Subject: (External):Re: AUTHPGM in IKJTSOxx Well, IBM ha documented a lot of the rules for authorized code. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Michael Stein <[email protected]> Sent: Wednesday, November 27, 2019 12:20 AM To: [email protected] Subject: Re: AUTHPGM in IKJTSOxx On Tue, Nov 26, 2019 at 07:13:47PM +0000, Seymour J Metz wrote: > If you have update access to APF authorized libraries then you could > certainly write such a program, although a competent auditor would > read you the riot act if he found out. Exploiting a program that > follows the rules is harder. Figuring out the "rules" is hard. Following them is harder. It's very easy to get an authorized function to usually work. Writing the code so that it works and fails correctly and is secure is much harder.. For security it's usually best to let the hardware provide the security boundaries whereever possible (address space and protect keys). Write access to an APF library on a personal test system is really useful for education, development, and trying out system services. A non-shared test system doesn't have system stability or security issues to be concerned about. But be very careful NEVER to run that type of code on shared systems. I once traced instruction counts for a path of "hit enter once" type action. This involved turning on instruction fetch PER and disabled DAT off code to update a counter for each asid/instruction address. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
