On Wed, May 24, 2017 at 12:22 PM, Jim Mulder <[email protected]> wrote:
> That is not the way the Initiator works. The Initiator is not > APF-authorized. > > Does your program use any key 8 storage (like the save area that was > provided when your program was ATTACHed, or the subpool 0 area that you > FREEMAIN when the program that you ATTACHed ends)? > Could the unauthorized program that you ATTACHed modify these area in such > a way > that when your code does the LM and BR 14, it branches to some code > created > by the unauthorized program, so that the unauthorized program can cause > code > it created to run authorized under your task? > > When you ATTACH an authorized program and pass it a parm that is longer > than 100 bytes, how do you prevent a buffer overflow security exposure if > the > authorized program you are ATTACHing copies the parm to a 100 byte buffer > (which it assumes is a safe thing to do, because the system documentation > stated > that the maximum PARM= length was 100 bytes)? > > Jim Mulder z/OS Diagnosis, Design, Development, Test IBM Corp. > Poughkeepsie NY > > The above is why I really "push" the UNIX fork() alternative. The "controller" program does not even need APF authorization. To start a new address space on behalf of another user only requires some RACF authorities for the RACF id doing the fork(), unlike ASCRE. I am assuming that the child process does _not_ need any special DDs for data sets to be "preallocated". but the child can use DYNALLOC to allocate DDs based on parameters or (IMO better) environment variables. If a "steplib" is needed, the initial child program can simply DYNALLOC the DSNs and then use an ATTACHX with a TASKLIB. As an aside, if the child program is COBOL or PL/I, then it can just let LE do the DYNALLOC by having the "controller" set up the proper environment variables as documented in the COBOL or PL/I manuals. -- Windows. A funny name for a operating system that doesn't let you see anything. Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
