On Thu, 21 Apr 2011 15:40:03 -0500, McKown, John wrote: > >Now, being the weirdo that I am, I'd likely do my APF authorized work by using >the UNIX fork() and exec(), where I exec() a module which is in the UNIX >filesystem marked as APF authorized. Depending on what I need to do, I would >either use shared memory (shmat) or set up a UNIX bidirectional unnamed PIPE >if the APF task worked more like a "server" and would be invoked multiple >times. It's just seems easier to me. Or use UNIX message queues for >communications. I have a better understanding of using pipes. > >The plus of the UNIX solution is that the invoker does not need to be APF >authorized at all. It just needs to be able to do the UNIX fork() and exec() >of the APF authorized "service" program. I'd likely secure the service program >by having the appropriate UNIX security on the executable file in the UNIX >filesystem (using ACLs if necessary). An alternative / enhancement would be to >have the UNIX program do a RACF security call of some sort to see if the >invoker is authorized. This latter would be better if the routine is >multifunction where the sub functions need to be individually authorized, >perhaps with differing access lists. Like what ISMF does. > Is BPX1EXM any help for this?
The minus of the UNIX solution (I'm no authority; I haven't tried it) is that the fork()ed child doesn't inherit DDNAMEs from the parent. PITA. But perhaps the OP doesn't need (m)any. In Rexx, I do use the new-fangled "address TSO" to start a TSO address space under Unix System Services. It then DYNALLOCs all needed DDNAMEs and CALLs an authorized program. Another PITA is that "address TSO" connects SYSTSIN to stdin and SYSTSPRT to stdout, then closes all other descriptors. I wish I could have pipes communicating between my Unix parent and my TSO child. I need to beg WJS for mercy again. (Yes, I know the descriptors I want would be bound on the first "address TSO" and immutable thereafter. They'd still be useful. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
