ITYM AC(1) and the statement should be that there is no way for an unauthorized program to make itself authorized, no way to invoke an authorized TSO command, program or service not permitted by the installation, no way to invoke an authorized subroutine other than through the TMP interface and no way to create a new process without vetting by the security environment.
Yes, there are Eunix <g> commands that run with UID(0), but the installation can control who is allowed to invoke them, and many of them are safe for general use.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
________________________________________
From: IBM Mainframe Discussion List <IBM-***@listserv.ua.edu> on behalf of Charles Mills <***@MCN.ORG>
Sent: Monday, July 23, 2018 8:42 PM
To: IBM-***@listserv.ua.edu
Subject: Re: A curiosity Question
Yes, and any code that runs in supervisor state (certain exits, for example)
could (using an unapproved and undocumented but easy-to-deduce technique)
presumably change an address space from not-authorized to authorized -- but
the exit code would have to be installation-permitted.
There should be (is, so far as we know) no
available-to-the-average-programmer technique that permits unauthorized code
to make itself authorized, or create an authorized process, other than by
submitting a job with an APF-authorized-library-resident and AC=0 jobstep
program.
If you find one, IBM will take an APAR, ASAP.
Charles
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On
Behalf Of Seymour J Metz
Sent: Monday, July 23, 2018 4:05 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: A curiosity Question
Actually, you can, but the unauthorized code can't run while the authorized
code is running and the unauthorized code can only invoke the authorized
code that IBM or the installation allows. Think TSO,
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
________________________________________
From: IBM Mainframe Discussion List <IBM-***@listserv.ua.edu> on behalf of
Charles Mills <***@MCN.ORG>
Sent: Monday, July 23, 2018 6:58 PM
To: IBM-***@listserv.ua.edu
Subject: Re: A curiosity Question
Jobsteps are authorized, not subtasks. The jobstep is either authorized or
it is not (in the scenarios you describe below).
There is no (supported, official, "z/OS") way to transition from
non-authorized to authorized. You cannot "become authorized" except at
jobstep initiation time.
Charles
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On
Behalf Of ***@juno.com
Sent: Monday, July 23, 2018 3:47 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: A curiosity Question
Hi,
.
Im sure there is an Integrity exposure with these scenarios.
1)Can a Problem Program (Key 8) attach a Surtask that is authorized ?
.
2)Can a Problem Program attach a subtask (with the DCB parameter) that is
authorized ? The dcb is not in the steplib concatenation.
.
3)Can a Problem Program invoke a Non Space Switching PC routine to Attach a
Subtask that is Authorized ?
.
Im sure there is an Integrity exposure - could someone comment on the above.
.
.
Paul
.
.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN