Hi Colleagues,
Here is my solution ...
1) An Assembler program ... Does not to be APF Authorized, if ESM is
RACF. (If ESM is ACF/2 or TSS, it needs APF Authorization).
2) A Rexx Exec
RACROUTE TITLE 'RACROUTE STATUS=ACCESS'
RACROUTE CSECT ,
RACROUTE AMODE 31
RACROUTE RMODE ANY
SAVE (14,12),,RACROUTE.&SYSDATE..&SYSTIME Save caller's regs.
LR R12,R15 Load address of entry point
USING RACROUTE,R12 Give assembler program's base reg.
*
LR R11,R1 Save Pointer to Parameter Address Blk
USING ARGS,R11
*
GETMAIN R,LV=SAVESIZE,LOC=BELOW
XC 0(CLEARSIZ,R1),0(R1) Clear the save/work area
ST R1,8(,R13) Save new save area addr.in old area
ST R13,4(,R1) Save old save area addr.in new area
LR R13,R1 Replace old save area with new one
USING SAVEAREA,R13 Tell assembler about save area
*
*
*
L R11,0(R11)
LH R5,0(R11)
C R5,=F'0' PARM?
BE RETURN No, RETURN
*
BCTR R5,0
EX R5,MVC
B CONTINUE
*
MVC MVC THEENT(*-*),2(R11)
*
*
*
CONTINUE DS 0F
RACROUTE REQUEST=AUTH, x
RELEASE=1.9, x
STATUS=ACCESS, x
CLASS='DATASET', x
ATTR=UPDATE, x
ENTITY=THEENT,VOLSER=THEVOL, x
WORKA=SAFWORKA
LM R3,R4,CONTINUE+4 Save Return Code, Reason Code
*
*
*
RETURN DS 0H
* WTO 'RACROUTE About to Exit'
LR R1,R13 Save old save area addr. for FREEMAIN
L R13,4(,R13) Restore old save area address
FREEMAIN R,LV=SAVESIZE,A=(1)
EXIT DS 0H
LR R15,R4 Return with Reason Code
* SLR R15,R15 Set a return code of zero
RETURN (14,12),RC=(15) Return to caller, return code zero
*
*
*
DS 0D
SAFWORKA DS CL512
THEENT DC CL44' '
THEVOL DC CL6'THEVOL'
*
*
*
SAVEAREA DSECT , Register save area and work area
DS 18F Register save area
CLEARSIZ EQU *-SAVEAREA Save and work area size
RECORD DS 0CL16
USERID DS CL8
PASSWORD DS CL8
RECSIZE EQU *-RECORD
WTO0 WTO ' ',X
MF=L
WTO0L EQU *-WTO0
SAVESIZE EQU *-SAVEAREA Save and work area size
*
*
*
ARGS DSECT
DS 0D
LENGTH DS H
DSNAME DS CL44 Dataset Name to Check
YREGS
END
/* Rexx */
/* Trace I */
/*
00 The user has no access.
04 The user has READ authority.
08 The user has UPDATE authority.
0C The user has CONTROL authority.
10 The user has ALTER authority
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.
v2r1.ichc600/ich2c6_Return_codes_and_reason_codes1.htm
*/
Arg dsn
Address TSO "Call *(Racroute) '"dsn"'"
Say rc
On 2020-06-13 23:32, Bob Bridges wrote:
Gil, you mustn't think I plan to make it a habit but I think I'm going to
disagree with you on every point, here:
o Well, maybe not on the first one: What's "TOCTTOU"?
o Access rules are indeed complicated to simulate. But why simulate them? Just
ask RACROUTE and get an answer. Mind you a) I'm a security geek, so maybe
the
rules seem less complicated to me. And b) I've never used RACROUTE directly;
as a security geek I talk to RACF/ACF2/TSS through their TSO-level commands,
so maybe RACROUTE is more difficult.
o Of course the rules are subject to change. I can't see that that makes any
difference, makes it any less handy to know what the rules are. If he takes
your advice (just try the access and report the failure), the rule may
~still~
change; so what?
o I've never had occasion to try in it TSS or ACF2 - being a security jock, I
always ~have~ the elevated privileges, so I'm generally unaware of how they
behave for hoi polloi - but I know that it's possible even for regular folks
to use the RACF commands to determine whether they have read access to a
dataset. I don't know about update. This question came up in TSO-REXX back
in 2013, and I described how to do it and saved it away in case I wanted to
use it again. I've sent it off-line to Mr DeChirico already; if anyone else
wants to see it, just ask.
---
Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313
/* Never miss a good chance to shut up. -from A Cowboy's Guide to Life */
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
Of Paul Gilmartin
Sent: Saturday, June 13, 2020 22:09
Don't.
o There's a TOCTTOU hazard.
o The rules are probably too complicated to simulate.
I'll add:
o The rules are subject to change.
o You may need elevated privilege even to perform the check.
Better just to try the access and report any failure.
--- On Sat, 13 Jun 2020 09:10:01 -0700 (PDT), Michael DeChirico wrote:
Are there any hlasm code examples on how to user RACROUTE
to verify a userid's access to read/write a dataset?
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
