The basic issue is that the AUTHCMD is invoked in key8 and its storage is in key8 - thus the invoked non-APF can modify it and create an exposure.
You are free to add the commands that you feel are safe to AUTCHMD and can then freely execute them. On Fri, 27 Jun 2014 12:18:47 -0400 MichealButz <[email protected]> wrote: :>Rob :>With all due to respect and I mean that sincerely I have number of TSO :>commands that would make life easier it boggles my mind that because I am :>authorized I can't use them :> :>-----Original Message----- :>From: IBM Mainframe Discussion List [mailto:[email protected]] On :>Behalf Of Rob Scott :>Sent: Friday, June 27, 2014 11:55 AM :>To: [email protected] :>Subject: Re: IKJTSOxx Auth pgm cmds PC rtns :> :>It is well documented in the TSO manuals that IKEFTSR will not allow :>authorized programs to issue unauthorized commands. :> :>All authorized command/program activity in TSO runs under a parallel :>authorized TMP jobstep - running commands and programs that were not :>designed (or tested) to be invoked authorized is an obvious integrity :>exposure. :> :>As far as NOWTPMSG, it might be useful to investigate if it is *supported* :>to change the UPT settings manually - see UPTWTP and UPTNCOM in IKJUPT. :> :>Rob Scott :>Lead Developer :>Rocket Software :>77 Fourth Avenue . Suite 100 . Waltham . MA 02451-1468 . USA :>Tel: +1.781.684.2305 :>Email: [email protected] :>Web: www.rocketsoftware.com :> :> :>-----Original Message----- :>From: IBM Mainframe Discussion List [mailto:[email protected]] On :>Behalf Of MichealButz :>Sent: 27 June 2014 16:29 :>To: [email protected] :>Subject: Re: IKJTSOxx Auth pgm cmds PC rtns :> :>Why cant I issue simple TSO command via IKJEFTSR because my code is :>authorized I don't understand the idea behind it :> :>I would like to keep everything local to my TSO address space I am not :>trying to do anything kooky I have a recovery rtn and MVS message interfere :>with it so I am just trying to do PROFILE NOWTMSG :> :>I don't understand why TCAS doesn't let me do it :> :>But maybe there is a good reason :> :>Thanks :> :>-----Original Message----- :>From: IBM Mainframe Discussion List [mailto:[email protected]] On :>Behalf Of Rob Scott :>Sent: Friday, June 27, 2014 11:22 AM :>To: [email protected] :>Subject: Re: IKJTSOxx Auth pgm cmds PC rtns :> :>If you have a PC-owning service-providing server address space, then you :>could probably dispense with AUTHPGM/CMD/TSF entries completely and keep :>your client code in normal problem state key 8. :> :>Your non-auth client can ask the server address space to perform any :>authorized functions on its behalf and communicate via some sort of request :>queue and SUSPEND/RESUME logic. :> :>Attempting to turn your TSO user address space into a PC-owning :>service-providing address space to circumvent authority issues is an idea :>that is so bad it defies description - please say that you are not :>considering that. :> :>Rob Scott :>Lead Developer :>Rocket Software :>77 Fourth Avenue . Suite 100 . Waltham . MA 02451-1468 . USA :>Tel: +1.781.684.2305 :>Email: [email protected] :>Web: www.rocketsoftware.com :> :> :>-----Original Message----- :>From: IBM Mainframe Discussion List [mailto:[email protected]] On :>Behalf Of MichealButz :>Sent: 27 June 2014 16:02 :>To: [email protected] :>Subject: Re: IKJTSOxx Auth pgm cmds PC rtns :> :>Rob,, :> :>I can't use the TSO service facility IKJEFTSR ( I would like issue certain :>non-authorized TSO commands) because my program is in IKJEFTSOxx :>AUTHPGM/CMD :> :>I know that PC rtn's are separate entities so I am looking for the PC rtn :>to use IKJEFTSR :> :> :> :>-----Original Message----- :>From: IBM Mainframe Discussion List [mailto:[email protected]] On :>Behalf Of Rob Scott :>Sent: Friday, June 27, 2014 10:52 AM :>To: [email protected] :>Subject: Re: IKJTSOxx Auth pgm cmds PC rtns :> :>Are you trying to say that you have a TSO command processor that is :>attempting to define and own a PC routine using LXRES, ETDEF, ETCRE and :>ETCON ??? :> :>Rob Scott :>Lead Developer :>Rocket Software :>77 Fourth Avenue . Suite 100 . Waltham . MA 02451-1468 . USA :>Tel: +1.781.684.2305 :>Email: [email protected] :>Web: www.rocketsoftware.com :> :> :>-----Original Message----- :>From: IBM Mainframe Discussion List [mailto:[email protected]] On :>Behalf Of Micheal Butz :>Sent: 27 June 2014 15:38 :>To: [email protected] :>Subject: Re: IKJTSOxx Auth pgm cmds PC rtns :> :>Thanks let me get to the point :> :>The program that creates the PC rtn :> :>Is the AUTHCMD/PGM so I cann't use IKJEFTSR :> :>However I am thinking the PC rtn might be able to :> :>Thanks :> :>Sent from my iPhone :> :>> On Jun 27, 2014, at 10:30 AM, John McKown :>> <[email protected]> :>wrote: :>> :>> No. If the PC routine does not require APF authorization, then the :>> IKJTSOnn AUTH... entry isn't relevant. As an example, the STORAGE :>> macro does a PC to do its magic, not an SVC. But a program which uses :>> the STORAGE macro doesn't need to be in the list(s) mentioned. Only :>> programs which are linked as AC=1 and which you want to be invoked by :>> TSO with APF authorization active need to be listed. :>> :>> :>> On Fri, Jun 27, 2014 at 8:57 AM, MichealButz <[email protected]> :>> wrote: :>> :>>> Hi, :>>> :>>> :>>> :>>> I know if you want to run authorized code under TSO you have to place :>>> it in IKJTSOxx AUTHCMD/PGM :>>> :>>> :>>> :>>> What if that code generates a PC rtn does TMP know of it :>>> :>>> :>>> :>>> :>>> :>>> Thanks :>>> :>>> :>>> --------------------------------------------------------------------- :>>> - For IBM-MAIN subscribe / signoff / archive access instructions, :>>> send email to [email protected] with the message: INFO :>>> IBM-MAIN :>> :>> :>> :>> -- :>> There is nothing more pleasant than traveling and meeting new people! :>> Genghis Khan :>> :>> Maranatha! <>< :>> John McKown :>> :>> ---------------------------------------------------------------------- :>> For IBM-MAIN subscribe / signoff / archive access instructions, send :>> email to [email protected] with the message: INFO IBM-MAIN :> :>---------------------------------------------------------------------- :>For IBM-MAIN subscribe / signoff / archive access instructions, send email :>to [email protected] with the message: INFO IBM-MAIN :> :>---------------------------------------------------------------------- :>For IBM-MAIN subscribe / signoff / archive access instructions, send email :>to [email protected] with the message: INFO IBM-MAIN :> :>---------------------------------------------------------------------- :>For IBM-MAIN subscribe / signoff / archive access instructions, send email :>to [email protected] with the message: INFO IBM-MAIN :> :>---------------------------------------------------------------------- :>For IBM-MAIN subscribe / signoff / archive access instructions, send email :>to [email protected] with the message: INFO IBM-MAIN :> :>---------------------------------------------------------------------- :>For IBM-MAIN subscribe / signoff / archive access instructions, send email :>to [email protected] with the message: INFO IBM-MAIN :> :>---------------------------------------------------------------------- :>For IBM-MAIN subscribe / signoff / archive access instructions, send email :>to [email protected] with the message: INFO IBM-MAIN :> :>---------------------------------------------------------------------- :>For IBM-MAIN subscribe / signoff / archive access instructions, :>send email to [email protected] with the message: INFO IBM-MAIN -- Binyamin Dissen <[email protected]> http://www.dissensoftware.com Director, Dissen Software, Bar & Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
