Sent: 04 December 2019 21:38
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] AUTHPGM in IKJTSOxx
On Wed, 4 Dec 2019 01:28:39 +, Lennie Dymoke-Bradshaw
wrote:
>Jesse / Skip,
>
>This is actually defined as being a requirement in "DFSMS Access Method
>Services Commands&q
On Wed, 4 Dec 2019 01:28:39 +, Lennie Dymoke-Bradshaw
wrote:
>Jesse / Skip,
>
>This is actually defined as being a requirement in "DFSMS Access Method
>Services Commands" SC23-6846-30. See Page 6, or just search for AUTHCMD and
>you will quickly find it. It states the following,
>
>"To
L. No muss. No fuss.
Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Jesse 1 Robinson
Sent: Tuesday, December 3, 2019 6:40 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
I thought I was done with this thread, but today a new gotcha popped up. On one
bject: Re: [IBM-MAIN] AUTHPGM in IKJTSOxx
I thought I was done with this thread, but today a new gotcha popped up. On one
system, we ran out of local page space. We could log on (TSO) but could not
start any task or submit any job. To avoid IPL, we needed to create another
local page data set.
On Wed, 4 Dec 2019 00:39:58 +, Jesse 1 Robinson
wrote:
>I thought I was done with this thread, but today a new gotcha popped up. On
>one system, we ran out of local page space. We could log on (TSO) but could
>not start any task or submit any job. To avoid IPL, we needed to create
):Re: AUTHPGM in IKJTSOxx
Well, IBM ha documented a lot of the rules for authorized code.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of
Michael Stein
Sent: Wednesday, November 27, 2019 12:20 AM
@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
On Tue, Nov 26, 2019 at 07:13:47PM +, Seymour J Metz wrote:
> If you have update access to APF authorized libraries then you could
> certainly write such a program, although a competent auditor would read
> you the riot act if he found out. E
On Tue, Nov 26, 2019 at 07:13:47PM +, Seymour J Metz wrote:
> If you have update access to APF authorized libraries then you could
> certainly write such a program, although a competent auditor would read
> you the riot act if he found out. Exploiting a program that follows the
> rules is
From: IBM Mainframe Discussion List on behalf of
Jeremy Nicoll
Sent: Monday, November 25, 2019 6:26 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
On Mon, 18 Nov 2019, at 19:35, Seymour J Metz wrote:
> A program designed to run as a jobs
Not if the resources are protected by a ESM..of some sort, i.e.; RACF...
On Tue, Nov 26, 2019 at 6:35 AM Jeremy Nicoll
wrote:
> On Tue, 26 Nov 2019, at 00:20, Jesse 1 Robinson wrote:
> > I'm having trouble imagining a scenario where an EBCDIC representation
> > of an address would be useful.
I believe when Walt raveled this fiber of the thread he posited assembler
CALL macro or JCL PARM format (they're the same.)
I think of those two as not the same when both the parameter list and the
parameter are considered.
If you pass a single parameter via CALL, then the parameter list
On Tue, 26 Nov 2019, at 00:20, Jesse 1 Robinson wrote:
> I'm having trouble imagining a scenario where an EBCDIC representation
> of an address would be useful. The problem is, in a job step situation,
> how would you figure out an address to pass?
>
> //STEP1 EXEC PGM=my-pgm,PARM=???
>
> How
On Tue, 26 Nov 2019 00:20:12 +, Jesse 1 Robinson wrote:
>I'm having trouble imagining a scenario where an EBCDIC representation of an
>address would be useful. The problem is, in a job step situation, how would
>you figure out an address to pass?
>
>//STEP1 EXEC PGM=my-pgm,PARM=???
>
>How
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] AUTHPGM in IKJTSOxx
I'm having trouble imagining a scenario where an EBCDIC representation of an
address would be useful. The problem is, in a job step situation, how would you
figure out an address to pass?
//STEP1 EXEC PGM=my-pgm,PARM=???
How
Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Paul Gilmartin
Sent: Monday, November 25, 2019 3:51 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: AUTHPGM in IKJTSOxx
On Mon, 25 Nov 2019 23:26:32 +
On Mon, 25 Nov 2019 23:26:32 +, Jeremy Nicoll wrote:
>On Mon, 18 Nov 2019, at 19:35, Seymour J Metz wrote:
>> A program designed to run as a jobstep expects a parameter list whose
>> first word points to a halfword length field followed by a character
>> string of that length. The Initiator
On Mon, 18 Nov 2019, at 19:35, Seymour J Metz wrote:
> A program designed to run as a jobstep expects a parameter list whose
> first word points to a halfword length field followed by a character
> string of that length. The Initiator will always flag the first word
> with an end-of-list bit.
on behalf of
Walt Farrell
Sent: Wednesday, November 20, 2019 8:18 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
On Mon, 18 Nov 2019 20:03:59 +, Seymour J Metz wrote:
>What do you mean by "the initial program"? The TMP doesn't need to be in any
>list.
&g
vs unauthorized.)
2. If it is loaded by the Initiator as a jobstep program, and it is linked
AC(1), it will run APF-authorized. (I will ignore possible JOBLIB/STEPLIB
effects.)
3. If it is run under TSO and is in the appropriate IKJTSOxx list (AUTHPGM,
AUTHCMD, AUTHTSF) for the way it was run, it will
On Tue, Nov 19, 2019 at 05:52:41PM +, Seymour J Metz wrote:
> 1. TSO *doesn't* get "quarantined like a contagious pit-bull"; rather, TSO
> imposes a firewall between authorized and unauthorized code. The same
> firewall, implemented differently, exists for PGM=foo.
No, it's not the
Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
Of Peter Relson
Sent: Tuesday, November 19, 2019 9:06 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
I share the curiosity about why TSO gets quarantined like a contagious
pit-bull. If I can run PGM=ABC in a batch job
edu>
Sent: Monday, November 18, 2019 6:37 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
On Mon, 18 Nov 2019 20:49:29 +, Seymour J Metz wrote:
>...
>You're losing track of your indirect addresses:
>R1 -> Paramaeter list
> +0 -> H'lengt
Jesse 1 Robinson
Sent: Monday, November 18, 2019 7:09 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
I share the curiosity about why TSO gets quarantined like a contagious
pit-bull. If I can run PGM=ABC in a batch job with no more authorization that
SAF READ to the load library, th
On Mon, 18 Nov 2019 17:37:00 -0600, Paul Gilmartin wrote:
>On Mon, 18 Nov 2019 20:49:29 +, Seymour J Metz wrote:
>>...
>>You're losing track of your indirect addresses:
>
>>R1 -> Paramaeter list
>> +0 -> H'length',C'characters'
>> +4 Doesn't exist for jobstep.
>>
I share the curiosity about why TSO gets quarantined like a contagious
pit-bull. If I can run PGM=ABC in a batch job with no more authorization
that SAF READ to the load library, then why are there extra hurdles to run
the exact same program under TSO? I don't mean technically why; I mean
Yep
On Mon, Nov 18, 2019 at 7:47 PM Tony Harminc wrote:
> On Mon, 18 Nov 2019 at 10:55, scott Ford wrote:
> >
> > So guys, stupid question what about a STC that provisions for RACF, etc.
> > But the design is as a normal generalized user, but with a id
> > with SPECIAL that is invoked only
On Mon, 18 Nov 2019 at 10:55, scott Ford wrote:
>
> So guys, stupid question what about a STC that provisions for RACF, etc.
> But the design is as a normal generalized user, but with a id
> with SPECIAL that is invoked only during the time of passing the command to
> RACF ? Does it have to be
a question to IBM to IBM
or definitely unsafe?
Thanks!
Leo
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
Of Jim Mulder
Sent: Monday, November 18, 2019 1:27 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
An authorized
-543-6132 Office ⇐=== NEW
robin...@sce.com
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Seymour J Metz
Sent: Monday, November 18, 2019 11:59 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: AUTHPGM in IKJTSOxx
TSO normally runs authorized and attaches commands
On Mon, 18 Nov 2019 20:49:29 +, Seymour J Metz wrote:
>...
>You're losing track of your indirect addresses:
>R1 -> Paramaeter list
> +0 -> H'length',C'characters'
> +4 Doesn't exist for jobstep.
>
And you needf one more indirection. See the page lately
cited by Tom
On Mon, 18 Nov 2019 14:36:16 -0600, Paul Gilmartin wrote:
>No. That end-of-list bit is set in the address of the PARM, not in the PARM.
>So, PARM='(' (x-4d') results in '(', not 'D' (x'CD'). And that bit has little
>effect except for branch-and-set-mode.
>
>How is PARM passed to an AMODE 64
ur J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of
Paul Gilmartin <000433f07816-dmarc-requ...@listserv.ua.edu>
Sent: Monday, November 18, 2019 3:36 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
On Mon, 18
On Mon, 18 Nov 2019 19:35:31 +, Seymour J Metz wrote:
>A program designed to run as a jobstep expects a parameter list whose first
>word points to a halfword length field followed by a character string of that
>length. The Initiator will always flag the first word with an end-of-list bit.
on behalf of
Paul Gilmartin <000433f07816-dmarc-requ...@listserv.ua.edu>
Sent: Friday, November 15, 2019 2:47 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
On Wed, 13 Nov 2019 08:55:39 -0600, Jeffrey Holst wrote:
>Does AUTHPGM require that the specified program h
Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of
Jesse 1 Robinson
Sent: Friday, November 15, 2019 4:45 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
A few points.
-- No program can run APF (authorized) if it's fe
List on behalf of
Steve Smith
Sent: Friday, November 15, 2019 6:05 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
Well, it's been two hours, and no expert has come forth, so I'll take a
shot. As TSO normally runs non-authorized, attempting to execute an
authorized program
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
I am curious now, does a custom homegrown program have to take extra
precautions to be placed under AUTHPGM? What would those be?
Regards,
zLeo
> On Nov 16, 2019, at 10:09 AM, Peter Relson wrote:
>
> Regarding AUTHPGM
Mainframe Discussion List on behalf of
Leonardo Vaz
Sent: Saturday, November 16, 2019 12:20 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
Thanks for the input. Peter said something about making sure non authorized
units of work are non dispatchable while the authorized program
Discussion List on behalf of
Leonardo Vaz
Sent: Saturday, November 16, 2019 7:33 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
Hello Walt! Thanks for your input!
But wouldn’t that program be violating system integrity even if not placed on
AUTHPGM? The user could execute it batch
ERV.UA.EDU] On Behalf
Of Wayne Driscoll
Sent: Monday, November 18, 2019 11:11 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
In z/OS 2.4, with the ACEECHK class active that will require special
authorization.
Wayne Driscoll
Rocket Software
Note - All opinions are stric
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
An authorized program would not need to switch TO a SPECIAL userid, it could
simply give itself SPECIAL in its ACEE.
Charles
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List on behalf of
scott Ford
Sent: Monday, November 18, 2019 10:54 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
So guys, stupid question what about
Corp.
Poughkeepsie NY
"IBM Mainframe Discussion List" wrote on
11/17/2019 09:06:08 PM:
> From: "Walt Farrell"
> To: IBM-MAIN@LISTSERV.UA.EDU
> Date: 11/18/2019 01:12 PM
> Subject: Re: AUTHPGM in IKJTSOxx
> Sent by: "IBM Mainframe Discussion List"
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
On Mon, 18 Nov 2019 10:54:06 -0500, scott Ford wrote:
>So guys, stupid question what about a STC that provisions for RACF, etc.
>But the design is as a normal generalized user, but with a id
>with SPECIAL that is invoked on
9 04:16:27 PM:
> From: "Walt Farrell"
> To: IBM-MAIN@LISTSERV.UA.EDU
> Date: 11/18/2019 01:03 PM
> Subject: Re: AUTHPGM in IKJTSOxx
> Sent by: "IBM Mainframe Discussion List"
>
> On Sat, 16 Nov 2019 15:30:01 +, Leonardo Vaz
wrote:
>
> >I
l opinions are strictly my own.
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Leonardo Vaz
Sent: Saturday, November 16, 2019 6:33 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
Hello Walt! Thanks for your input!
But wouldn’t that program be v
On Mon, 18 Nov 2019 10:54:06 -0500, scott Ford wrote:
>So guys, stupid question what about a STC that provisions for RACF, etc.
>But the design is as a normal generalized user, but with a id
>with SPECIAL that is invoked only during the time of passing the command to
>RACF ? Does it have to be
Sent: Monday, November 18, 2019 7:54 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: AUTHPGM in IKJTSOxx
So guys, stupid question what about a STC that provisions for RACF, etc.
But the design is as a normal generalized user, but with a id with SPECIAL that
is invoked only during the time
DU] On
> Behalf Of Paul Gilmartin
> Sent: Sunday, November 17, 2019 5:10 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AUTHPGM in IKJTSOxx
>
> ...snip ...
>
> I respectfully differ. A program executed as the job step task and
> running in authorized state which can bra
(or the equivalent) callers.
Charles
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
Of Paul Gilmartin
Sent: Sunday, November 17, 2019 5:10 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
...snip ...
I respectfully differ
On Sun, 17 Nov 2019 19:10:16 -0600, Paul Gilmartin wrote:
>On Sun, 17 Nov 2019 15:50:53 -0600, Walt Farrell wrote:
>
>>On Sun, 17 Nov 2019 00:33:29 +, Leonardo Vaz wrote:
>>>
>>>But wouldn’t that program be system integrity even if not placed on AUTHPGM?
>>>The user could execute it batch
On Sun, 17 Nov 2019 15:50:53 -0600, Walt Farrell wrote:
>On Sun, 17 Nov 2019 00:33:29 +, Leonardo Vaz wrote:
>>
>>But wouldn’t that program be system integrity even if not placed on AUTHPGM?
>>The user could execute it batch first example and change his ACEE or anything
>>else.
>
>No, that
@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] AUTHPGM in IKJTSOxx
On Sat, 16 Nov 2019 17:20:31 +, Leonardo Vaz wrote:
>Thanks for the input. Peter said something about making sure non authorized
>units of work are non dispatchable while the authorized program runs, is this
>something the a
On Sun, 17 Nov 2019 00:33:29 +, Leonardo Vaz wrote:
>
>But wouldn’t that program be system integrity even if not placed on AUTHPGM?
>The user could execute it batch first example and
>change his ACEE or anything else.
No, that wouldn't be a problem, because if the user wrote his own
If it is something that TSO already does, then why limit TSO to only run
authorized programs on the AUTHPGM list? What is the harm of allowing any
authorized programs as long as they don’t violate system integrity.
I don't know if doing so could result in a program that was not written to
On Sun, 17 Nov 2019 00:33:29 +, Leonardo Vaz wrote:
>
>But wouldn’t that program be violating system integrity even if not placed on
>AUTHPGM? The user could execute it batch first example and change his ACEE or
>anything else.
>
I think, sure. Pass it the address of some code in LPA or
Hello Walt! Thanks for your input!
But wouldn’t that program be violating system integrity even if not placed on
AUTHPGM? The user could execute it batch first example and change his ACEE or
anything else.
I guess depending on the authorized program code, it might keep integrity when
On Sat, 16 Nov 2019 15:30:01 +, Leonardo Vaz wrote:
>I am curious now, does a custom homegrown program have to take extra
>precautions to be placed under AUTHPGM? What would those be?
>
Usually, no.
Sometimes, depending on what the program does, yes.
For example, consider a program which
On Sat, 16 Nov 2019 15:27:10 -0500, scott Ford wrote:
>
>So are you saying that you want to invoke GIMSMP from TSO instead of in
>batch ?
>
I wanted to invoke GIMSMP remotely, from a desktop program and have
status returned to that desktop monitor. There are persistent questions
here about how
On Sat, 16 Nov 2019 11:54:27 -0800, retired mainframer wrote:
>
>Without the AUTHPGM list, how would TSO know which programs should run
>authorized and which should not? There are authorized programs that need
>authorization only for certain functions and can run under TSO without
Gil,
So are you saying that you want to invoke GIMSMP from TSO instead of in
batch ?
Scott
On Sat, Nov 16, 2019 at 2:30 PM Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:
> On Sat, 16 Nov 2019 17:20:31 +, Leonardo Vaz wrote:
>
> >Thanks for the input. Peter said
AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AUTHPGM in IKJTSOxx
>
> Thanks for the input. Peter said something about making sure non authorized
> units of
> work are non dispatchable while the authorized program runs, is this
> something the
> authorized program add
On Sat, 16 Nov 2019 17:20:31 +, Leonardo Vaz wrote:
>Thanks for the input. Peter said something about making sure non authorized
>units of work are non dispatchable while the authorized program runs, is this
>something the authorized program added to AUTHPGM has to do or something that
beyond normal
> release procedures.
>
>> -Original Message-
>> From: IBM Mainframe Discussion List On
>> Behalf Of Leonardo Vaz
>> Sent: Saturday, November 16, 2019 7:30 AM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Re: AUTHPGM in IKJTSOxx
>>
>
release procedures.
> -Original Message-
> From: IBM Mainframe Discussion List On
> Behalf Of Leonardo Vaz
> Sent: Saturday, November 16, 2019 7:30 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AUTHPGM in IKJTSOxx
>
> I am curious now, does a custom homegrown pr
I am curious now, does a custom homegrown program have to take extra
precautions to be placed under AUTHPGM? What would those be?
Regards,
zLeo
> On Nov 16, 2019, at 10:09 AM, Peter Relson wrote:
>
> Regarding AUTHPGM itself, I think of it this way (pretty much the way
> Steve Smith
...SYS1.LPALIB is automatically APF authorized. I believe that the whole
PLPA is APF as well, although we seem to name all the other LPALIBs
explicitly. I'm sure that the CSVAPF macro requires APF to execute. The
entire linklist is APF only if that parameter is coded in PARMLIB,
otherwise
@LISTSERV.UA.EDU] On Behalf
Of Jesse 1 Robinson
Sent: Friday, November 15, 2019 4:45 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
CSVAPF may be a user defined resource, as we have nothing like that in our
(RACF) shop. In any case, resource profiles that control the ability to run
anything
Regarding AUTHPGM itself, I think of it this way (pretty much the way
Steve Smith described it):
AUTHPGM identifies to TSO/E a program that needs to be run on the
"authorized side" of the TMP. For such a program, setup must be done very
carefully.
While there is a program running on the
: Friday, November 15, 2019 4:45 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
CSVAPF may be a user defined resource, as we have nothing like that in our
(RACF) shop. In any case, resource profiles that control the ability to run
anything APF authorized must be tightly controlled
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Leonardo Vaz
Sent: Friday, November 15, 2019 3:10 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: AUTHPGM in IKJTSOxx
I
Behalf Of
> Leonardo Vaz
> Sent: Friday, November 15, 2019 2:12 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: (External):Re: AUTHPGM in IKJTSOxx
>
> The first statement is not completely true, you can have an APF authorized
> USS file (just by doing extattr +a with access to
Well, it's been two hours, and no expert has come forth, so I'll take a
shot. As TSO normally runs non-authorized, attempting to execute an
authorized program would normally fail. TSO can run authorized commands &
programs, but it has to do considerable setup for them, to maintain
integrity, and
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Leonardo Vaz
Sent: Friday, November 15, 2019 2:12 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: AUTHPGM in IKJTSOxx
The first statement is not completely true, you can have an APF authorized USS
file (just
@LISTSERV.UA.EDU] On Behalf
Of Jesse 1 Robinson
Sent: Friday, November 15, 2019 4:45 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AUTHPGM in IKJTSOxx
A few points.
-- No program can run APF (authorized) if it's fetched from a library that
itself is not named in the PARMLIB APF list, nor if the containing
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Paul Gilmartin
Sent: Friday, November 15, 2019 11:48 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: AUTHPGM in IKJTSOxx
On Wed, 13 Nov 2019 08:55:39 -0600, Jeffrey Holst wrote:
>Does AUTHPGM requ
Sounds like an APF list problem rather than AUTHPGM ... remember that in
APF list both dsname and volser is specified, so a poorly managed list with
"extra" volser entries (often used for DR testing for example) could result
in the "clever user" finding an unused but live entry and can thus create
On Fri, Nov 15, 2019 at 06:45:48PM +, Jesse 1 Robinson wrote:
> To reinforce Tony's point: ultimate control resides with SAF update
> authority to any and all authorized libraries. If that control is
> compromised, there is NOTHING that MVS can do to prevent mischief.
Or a security flaw in
On Wed, 13 Nov 2019 08:55:39 -0600, Jeffrey Holst wrote:
>Does AUTHPGM require that the specified program have a non-zero AC or that it
>be in an APF authorized library?
>
>I ask because it appears that a very clever user may have written a program
>whose name matches a program in the AUTHPGM
MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Tony Harminc
Sent: Friday, November 15, 2019 10:19 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: AUTHPGM in IKJTSOxx
On Wed, 13 Nov 2019 at 09:56, Jeffrey Holst
<02366bf64af9-dmarc-requ...@listserv.ua.edu> wrote:
>
> Does AUTHPGM require that the specified program have a non-zero AC or that it
> be in an APF authorized library?
Both.
> I ask because it appears that a very clever user may have written a
arc-requ...@listserv.ua.edu>
Sent: Wednesday, November 13, 2019 9:55 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: AUTHPGM in IKJTSOxx
Does AUTHPGM require that the specified program have a non-zero AC or that it
be in an APF authorized library?
I ask because it appears that a very clever user ma
For a TSO program to get control via CALL in an authorized state, it must be in
IKJTSOxx AUTHPGM, it must be linked AC(1) and come from an APF authorized
library.
You can also use AUTHTSF to invoke a program via IKJEFTSR if you require more
flexibility with the parameter lists (but the AC(1
Does AUTHPGM require that the specified program have a non-zero AC or that it
be in an APF authorized library?
I ask because it appears that a very clever user may have written a program
whose name matches a program in the AUTHPGM list. The program executes a macro
instruction that requires
84 matches
Mail list logo