On Tue, Nov 19, 2019 at 05:52:41PM +0000, Seymour J Metz wrote:
> 1. TSO *doesn't* get "quarantined like a contagious pit-bull"; rather, TSO
> imposes a firewall between authorized and unauthorized code. The same
> firewall, implemented differently, exists for PGM=foo.
No, it's not the same "firewall" and the TSO version is very fragile.
The PGM=foo case does it's cleanup of stuff left over via normal MVS
exit paths. Any resources left around are *gone* once end of task and end
of job step termination occur. Only then does the initiator, in a fresh
region, start the next step, possibly with APF authorization turned on.
The TSO case is different. The existing environment needs to stay around
along with all it's resouces so it can't use the official MVS exit paths
to clean up the environment.
So the TSO case involves knowing about any possible resources which
might affect the APF environment and suspending or blocking them during
the APF time, even if there isn't an MVS service to do so.
This includes dealing with all current MVS resources which might interact
with it's "firewall" as well as any new resources/features which get
added to the system, even by groups outside of TSO.
Back in 1981 I found out that I could easily gain APF authorization
(and via MODESET to key zero/supervisor issue SDUMP) from TSO if any
authorized command existed in the TSO APF command list. I thought then
(and now) that this design was a gross misuse of RSAPF on ATTACH and a
design mistake and reported it to IBM along with my demo code.
As this is 38 years later I wouldn't expect the same code to work on
current (or even old) systems but it appears to me that the complexity
of this misdesign has only grown over the decades.
PS: Being an ACF2 shop, it was amusing to me that RACF required having
commands in the APF TSO list, thus at that time, any RACF shop was
insecure.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
