Ouch!
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Tom Marchant <[email protected]> Sent: Thursday, July 26, 2018 10:54 AM To: [email protected] Subject: Re: A curiosity Question On Thu, 26 Jul 2018 07:50:04 -0500, Walt Farrell wrote: >On Tue, 24 Jul 2018 15:08:51 +0000, Seymour J Metz wrote: > >>Neither APF authorization nor supervisor state suspend normal SAF processing >>for, e.g., OPEN. If you know of a privileged application >that bypasses >>normal resource controls and does not require SAF authorization before doing >>so, then it's APAR time. > >I believe there is one exception to that, unless the behavior has been changed >in the past few years: as I recall, OPEN for a >VSAM file will bypass security checking if the issuer of OPEN is running in >supervisor state. I think it's documented (briefly) >deep in some manual, but I forget which one. See the last sentence: https://secure-web.cisco.com/1fEi_APD-dbzkd_iKlhiAA2AVBOGZ5QGmCNii0nYbrJWM2V2A6qipyYe5-tm1FkX-bmtBq2TQf_BrZFhyY5GESiAIdhK6RBb7DWQ077xzPDW4rh2as1AyBl-hJSHUpzFFyZZGlLUgvPjFv7GylTwg8rZIGP9VVE5BhfiTB27BHPn1qnA9ZegbpcUyVT6kLj3-JzxQcDkb03CJdw4W-GjweV3pWEcL95Ck1udp-8vmJa4xGXl9ixcCXA58o6_QxTwFkCBF0PRD4zqDyTl0G-mKbs_xPJ9n4V8bsBvAtVZ7bFz0GO7Jp-YZ1yghGuouUuZanzL9faTjFJH6zH47NZx2iATeomthWOqV2mSKMS5_9R4iF54_zydsOEUVB_KOPk--_BNL9S73rzHl3YtSbOkPkl2VoVveVZ9gudeZERXDgu35SYBHRpVB1vtE7uNvLh_f/https%3A%2F%2Fwww.ibm.com%2Fsupport%2Fknowledgecenter%2FSSLTBW_2.3.0%2Fcom.ibm.zos.v2r3.idad400%2Fods.htm "Note: RACF protection supersedes password protection for a data set. RACF checking is bypassed for a caller that is in supervisor state or key 0." -- Tom Marchant ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
