On Sunday, 09/19/2010 at 08:57 EDT, Alan Ackerman <[email protected]> wrote:
> As someone else pointed out, there is diagnose D4. The manual says: > > DIAGNOSE code X'D4' is used by a master virtual machine when scheduling > work on one of its > worker virtual machines on behalf of an end user. The end user's user ID > is considered to be the alternate user ID. > > I don't see how that really provides a way to increase the authority of a > virtual machine. If you can do that, then, I'd think that would be a hole > in z/VM's underlying security big enough to drive a truck through. (And > therefore APARable.) Diag 0xD4 is privclass B. If using RACF and the VMBATCH class is active, the guest issuing diag 0xD4 must be permitted to the VMBATCH profile for the target user. When the virtual performs some other RACF-protected function (e.g. LINK), RACF will attempt the access under the id of the user ID that was specified on the diag 0xD4. If the access fails, it can retry under the base user ID. Whether or not it does so is dependent on exit ICHRCX02, which I recommend be disabled. If you are really using a batch-style process that depends on it, then modify the exit to perform the retry ONLY for specific virtual machines. So you don't acquire the privileges, but you do acquire the access rights. Since it changes the id on the an APPC/VM connection, that means you can access databases (incl. SFS) as an agent for the target user. (Note that it doesn't change the id of existing connections.) Yet another reason you don't go around giving class B privilege to someone just because they want to issue MSGNOH! Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 [email protected] IBM Endicott
