Yes, it it certainly possible to open a system up to the world by allowing z/OS operator commands via JCL. Which is why we have OPERCMDS set up to restrict the SETPROG z/OS command to tech services people only. And we don't allow "in stream" (JCL) submission of z/OS operator commands. Yes, we have a program which can issue an operator command via JCL as in "//DOCMD EXEC PGM=ZOSCMD,PARM='D A,L' ". But that resides in a restricted APF library which "normal" people can't even READ.
Yes, I have a touch of terminal paranoia! <grin/> On Mon, Nov 11, 2013 at 7:13 AM, DASDBILL2 <[email protected]> wrote: > Any process today which can programmatically submit an operator command > with the proper authority for that particular command can submit an > operator command to add a library name to the APF list, the change from > which is immediately effective. > Any process today which can programmatically update a system library can > update the APF list so that library X.Y.Z will be APF-authorized after the > next IPL. > > Both processes must themselves be treated as if they were APF authorized, > meaning they must be tightly controlled as to who can use them. Any > process which creates such a process (ATTACH, INTRDR, etc.) must also be > tightly controlled. Any process which creates such a process which > creates... ad infinitum. > > Bill Fairchild > > -- Another case of too many mad scientists and not enough hunchbacks. Maranatha! John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
