On Tue, 17 Mar 2015 10:43:14 -0500, John McKown <[email protected]> wrote:
>All of the above is very true. But as I understand the original >problem, it is how to run untrusted code in the same address space as >APF authorized code. IMO, this, in and of itself, is a possible? >integrity exposure in z/OS. The only real solution would be to only >run code which you have written or vetted to be safe (assuming you >trust yourself). In the original post, it was running an IBM utility. >But Charles didn't want to trust it enough to simply LINK to it and >allow it to "do its thing". What he wanted is what I gave: a way to >temporarily turn off APF authorization, run the other code, then turn >it back on. I, personally, would not do this. That may be what he asked for, but it's not safe as you suggested it. The existence of that SMP/E integrity APAR that we've mentioned demonstrates that if you want to run authorized, and invoke programs that you didn't write, then there is a level of knowledge you need to have about those routines in order to be sure it's safe to run them. The alternative is that you design your program so it will be safe to run them. One method is using fork() and execmvs() as you suggest below (snipped) to make the program run someplace else, where it won't have your authority and can't interfere with you. Another is to change the way your authorized program runs. We've mentioned one possibility in that area: put the authorized processing in a PC routine, establish that PC while you're running authorized, then turn off authorization. When you need to perform the authorized function later on, let the PC routine do it. Another design change might be to set your program up so the system invokes it in a system key, rather than invoking it in key 8. Then make sure any storage you allocate for your own use is also in that system key, and you should be safe from any tampering the other program might want to perform. You can then turn off JSCBAUTH before invoking the other program, and use SYNCHX to invoke it in problem state and a user key, and it won't run with any kind of authorization. -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
