There is if you're running Supervisor mode or system key. There is if you're using the TSO services for authorized commands, facilities and programs. There is if you're running an authorized Unix command.
There should not be a way to run an arbitrary authorized program from an unauthorized program. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Steve Beaver <0000050e0c375a14-dmarc-requ...@listserv.ua.edu> Sent: Tuesday, November 19, 2024 3:45 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Program Authorization: Unauthorized programs calling Authorized External Message: Use Caution I don’t know if there is an easy way To turn on the JSCBAUTH without Being APF’d -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Seymour J Metz Sent: Tuesday, November 19, 2024 10:32 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Program Authorization: Unauthorized programs calling Authorized An unauthorized program may use PC and SVC, and a TSO application may invoke authorized commands, programs and services; those are the only ways to run authorized code from an unauthorized program. There is not, and should not be, an interface to run arbitrary authorized code from an unauthorized program. I believe that the integrity guide spelled it out in excruciating detail; I haven't checked whether it still exists. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Richard Zierdt <richard.zie...@freschesolutions.com> Sent: Tuesday, November 19, 2024 11:18 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Program Authorization: Unauthorized programs calling Authorized External Message: Use Caution Thanks to everyone who responded. Concepts covered: (1) Authorization "rules": I thought that unauthorized programs could call authorized programs to execute authorized instructions. After all, no shop would permit authorized programs to exist unless they were "approved", right? Bottom line, this (either sentence above) is not true. Now, SVCs must execute some Chapter 10 instructions, and they're called all the time by unauthorized programs. But SVCs are SVCs, not home-grown programs (ok - yes, they can be home-grown). So, SVCs get a pass. Same with PCs, apparently. This gets back to my first point: "No shop would permit SVCs or PCs to exist unless they were "approved", right?" (2) JSCBAUTH bit. Noted, thanks for the discussion. (3) TPROT (instruction), TESTAUTH (macro). Noted, thanks for the discussion. (4) ATTACH(x) . . . RSAPF=YES. Noted, thanks. (5) Bottom line: to display control registers for unauthorized programs, the called program that provides this service will have to be in an SVC or PC (or an SRB, I guess, but enough for now). Thanks, everyone. Richard Zierdt ________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Seymour J Metz <sme...@gmu.edu> Sent: Tuesday, November 19, 2024 9:02 AM To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU> Subject: Re: Program Authorization: Unauthorized programs calling Authorized This Message Is From an External Sender This message came from outside your organization. I would never suggest directly turning on JSCBAUTH. If you must switch authorization state, relegate the code to a subtask, use RSAPF=YES and follow all of the documented restrictions. -- Shmuel (Seymour J.) Metz https://urldefense.com/v3/__http://mason.gmu.edu/*smetz3__;fg!!HaceldhrWm2T3s6H!wqfqcgBQup8FYhprycTXTLVwo7vuAvsOgwk1RHgmHQ152WJLwkF3qrR_OA9oGlMAgoY4P0SDjqzdEbdiGJSQLhRvnKw$ עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Binyamin Dissen <00000662573e2c3a-dmarc-requ...@listserv.ua.edu> Sent: Tuesday, November 19, 2024 1:13 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Program Authorization: Unauthorized programs calling Authorized External Message: Use Caution On Mon, 18 Nov 2024 16:12:02 -0600 Steve Beaver <0000050e0c375a14-dmarc-requ...@listserv.ua.edu> wrote: :>Seymour I didn't disagree however teaching anyone how to turn on the JSCBAUTH bit is stupid If someone has authority to update APF libraries, telling him about the fully documented JSCBAUTH bit is a nothing burger. You need KEY0 to do it, and if you have KEY0 you can pretty much do what you want. Of course setting it, like setting DEBAPFIN or using TPROT to verify the key of storage and then using KEY0 to update it, it is a bad idea - there are better ways to use granularity to provide the business need without kicking over the barn. -- Binyamin Dissen <bdis...@dissensoftware.com> https://urldefense.com/v3/__http://www.dissensoftware.com/__;!!HaceldhrWm2T3s6H!wqfqcgBQup8FYhprycTXTLVwo7vuAvsOgwk1RHgmHQ152WJLwkF3qrR_OA9oGlMAgoY4P0SDjqzdEbdiGJSQpsIECJ4$ Director, Dissen Software, Bar & Grill - Israel ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Confidentiality Warning/Avertissement de confidentialité: This message is intended only for the named recipients. This message may contain information that is privileged or confidential. If you are not the named recipient, its employee or its agent, please notify us immediately and permanently destroy this message and any copies you may have. Ce message est destiné uniquement aux destinataires dûment nommés. Il peut contenir de l'information privilégiée ou confidentielle. Si vous n'êtes pas le destinataire dûment nommé, son employé ou son mandataire, veuillez nous aviser sans tarder et supprimer ce message ainsi que toute copie qui peut en avoir été faite. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
