On 26 March 2012 09:40, Walt Farrell <[email protected]> wrote: > On Mon, 26 Mar 2012 05:31:42 -0500, Josef Boeck <[email protected]> > wrote: [...] >>My question: Am I able to verify if the program runs as "signed program" and >>is verified or if the program runs without verification. I didn't find any >>hint in documentation. > > As far as I know, no, the program cannot tell. It is the administrator's > responsibility in the current implementation to determine which programs must > be signed and which actions the system should take if one of them is not > properly signed. It is also the administrator's responsibility to control > access to the libraries containing the programs, and enforce which libraries > the users will use to run the programs. > > The programs are not expected to do their own verification.
It makes little sense for a program to be doing its own verification of its signed status. If the program has not been modified, there is nothing gained by verifying it. If it has been modified by someone unauthorized, any such verification can be bypassed as part of the modification. If you are concerned simply about administrative errors rather than attacks, such as copying the program to a PDS or unwittingly unsigning the program during installation, the program itself is still not the place to catch this. Put another way, anyone can write a program, signed or not, that says "RACF reports that this program's signature is correct." Verification of signed status has to be done by trusted code external to the program itself. There is a (weak) argument in favour of providing administrative options to base certain controls on the signed status, e.g. it may be reasonable to allow an unsigned program to be loaded, but not to be executed in an APF-authorized state. But it is not reasonable for the program itself to test the signed status and base anything important on it. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
