On Tue, May 28, 2019 at 12:46 PM Farley, Peter x23353 < peter.far...@broadridge.com> wrote:
> Ray, > > PMFJI here, but as a regular application programmer (not a sysprog) I do > not understand how the FTP JES option allowed is a configuration > vulnerability. > > Isn't the FTP JES option one of the ways that the IBM z/OS and CICS > Explorer Eclipse-based products (and maybe other ISV Eclipse GUI's) provide > to let you submit and review the results of compile and program test and > bundle transmission jobs? If my FTP submitted jobs must have my userid+1 > as the job name and my userid access is properly controlled by the ESM, how > is that vulnerable? > > IOW, how is FTP JES submission any different from TSO SUBMIT? > > Peter > I was wondering the same thing. The only thing that comes to mind is that more non-z/OS people know how to use ftp than tn3270. And using tn3270 to get to TSO to use SUBMIT requires the RACF ID to have a TSO segment. So, in effect, you can stop non-TSO people, who need to upload or download data, from submitting jobs. Assuming that such people know how to code JCL and issue the correct SITE command to submit to JES rather than upload into a data set / UNIX file. -- This is clearly another case of too many mad scientists, and not enough hunchbacks. Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
