On 16 February 2012 19:32, Walt Farrell <[email protected]> wrote: > On Thu, 16 Feb 2012 14:42:01 -0700, Steve Comstock <[email protected]> > wrote: > >>OK, just being a little crazy, what about EXEC PGM=MYASMPGM >>which "does some stuff" and then does XCTL to the TMP? Would >>that work? > > The last time I tried it (28+ years ago before I joined IBM) it was possible > to do that, if you were careful to pass all the proper data. I have no idea > if it would still work, nor whether IBM would consider it "supported".
A big chunk of the problem is that the TMP used to be just an application program with some minor requirements to conform to a slightly unusual environment. IBM had a book called Guide to Writing a Terminal Monitor Program or a Command Processor, that explained in detail how to write your own TMP if you wanted to. At some point - I believe when TSO/E arrived - IBM effectively withdrew the ability to write a TMP, by undocumenting some of the required new interfaces, and making the existing code OCO, so there were no examples. Some of this had to do with the security and APF auth issues we are discussing, but certainly not all. I think probably the timing was just bad; it was around the time of peak OCO-fever in IBM, and I imagine there were hoops to go through in order to make any new module or even control block non-OCO, even if it meant withdrawing existing documented function. But I digress again... The TMP is no longer just an application program; it is part of the OS and its security infrastructure, and although parts of how it works are documented, some is not at all, much is not well, and some of the documentation makes incorrect claims about the actual behaviour. I very much doubt that a TMP can be invoked other than as the single job step task in an address space; certainly not if you want to run authorized commands or programs under it. XCTL does not provide sufficient isolation from potentially dangerous unauthorized code. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
