You can issue the commands from another id that has class C privileges. You could have a service machine issue the commands after it checks to insure that they are in a list of acceptable, benign, commands and are from users who are allowed to issue the commands.
In 1980, I wrote a DIAG issuer for a customer. It was highly specialized, though. It would only run as a started task and had only 2 commands it would issue - 1 when it started and another when requested to do so by Operations (via WTOR response). After the second, it would terminate. The DIAG was a special one that interacted with the console processor, similar to the HMC on today's machines, on an Amdahl processor. It ran under MVS on the bare iron, not under VM. I wrote it because the customer's system programmers were afraid to write a program that contained a DIAG. Alan's memory is correct regarding the conditions that had to be met at that time. They may be more stringent today. A lot has been done in the security arena on MVS. Regards, Richard Schuh > -----Original Message----- > From: VM/ESA and z/VM Discussions [mailto:[EMAIL PROTECTED] > Behalf Of Alan Ackerman > Sent: Friday, November 11, 2005 11:17 PM > To: [email protected] > Subject: Re: CP Commands on the MVS Console > > > It's certainly possible. I wrote one for MVS about 25 years > ago. All I remember is that it had to run > supervisor state (to run DIAG 8), had to be APF-authorized > (to run supervisor state), had to use > LRA (Load Real Address) to get the buffer addresses > (discovered that the hard way), and had to be > careful with page boundaries (ditto). It's no longer > accessible to me. (It may no longer even exist.) > > Be careful, though, it is a big security hole. Perfectly > normal class G commands can punch right > through z/OS security -- and if you give your z/OS guest > privileges beyond class G, you are really > asking for trouble. You might want to limit it to just a few > needed functions, instead of "any CP > command". > > Someone should have an example. You might ask on IBM-MAIN if > you get no response here. See > <http://bama.ua.edu/archives/ibm-main.html>. > > On Thu, 10 Nov 2005 18:43:18 -0200, FREITAS Nelson Ivo > <[EMAIL PROTECTED]> > wrote: > > >Hello Listers, > > > > > > > >Is it possible to enter CP commands to OS/390-zOS console or > through TSO > >environment, like it is done in VSE/ESA environment with the > JCC Command * > >CP ...? > > > > > > > >Or, is there a way to do this using a CMS userid through the > facility of > >VMCF, like it is done in VSE/ESA environment? > > > >Thanks in advance. > > > >Regards, > > > >Nelson Freitas > > > > > > > > >
