Discussion:
SYS1.LINKLIB and APF (Was: Cobol upgrade 6.2 linklist)
(too old to reply)
Lizette Koehler
2017-12-19 23:45:28 UTC
Permalink
Raw Message
@Skip

Taking this discussion a little sideways.

I seem to remember that if you used SYS1.LINKLIB in a JOBLIB/STEPLIB concatenation with other non-APF authorized libraries, because it is SYS1.LINKLIB - the Joblib/Steplib would become APF Authorized whether they were or not.

This was due to SYS1.LINKLIB would always be apf authorized by the operating system.

Am I remembering this correctly or not?

Thanks

Lizette
-----Original Message-----
Behalf Of Jesse 1 Robinson
Sent: Tuesday, December 19, 2017 3:36 PM
Subject: Re: Cobol upgrade 6.2 linklist
A linklist data set need not be authorized. If you specify LNKAUTH=APFTAB in
IEASYSxx, then an application library would be authorized only if you created
an APF entry for it. Assuming that SYS2.PRODLIB is not APF, then there is no
more danger in linklisting it than allowing users to STEPLIB to it.
The exposure that my ancient Audit department focused on was devious code
that could be slipped into production in some random library being STEPLIBed
to in an individual job. Code like the legendary (fairytale?) case of
diverting fractions of a cent from accounts payable into a private fund.
Someone would have to vet the source code, of course, but at least there was
an audit trail from source to production.
.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Gibney, Dave
2017-12-20 07:45:56 UTC
Permalink
Raw Message
No. Unless SYS1.LINKLIB is also explicitly in the APF list, it won't be APF authorized when STEPLIB/JOBLIB'd. For the step to be authorized, all entries in STEPLIB/JOBLIB need to be explicitly authorized.
-----Original Message-----
On Behalf Of Lizette Koehler
Sent: Tuesday, December 19, 2017 3:47 PM
Subject: SYS1.LINKLIB and APF (Was: Cobol upgrade 6.2 linklist)
@Skip
Taking this discussion a little sideways.
I seem to remember that if you used SYS1.LINKLIB in a JOBLIB/STEPLIB
concatenation with other non-APF authorized libraries, because it is
SYS1.LINKLIB - the Joblib/Steplib would become APF Authorized whether
they were or not.
This was due to SYS1.LINKLIB would always be apf authorized by the operating system.
Am I remembering this correctly or not?
Thanks
Lizette
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-
On Behalf Of Jesse 1 Robinson
Sent: Tuesday, December 19, 2017 3:36 PM
Subject: Re: Cobol upgrade 6.2 linklist
A linklist data set need not be authorized. If you specify
LNKAUTH=APFTAB in IEASYSxx, then an application library would be
authorized only if you created an APF entry for it. Assuming that
SYS2.PRODLIB is not APF, then there is no more danger in linklisting it than
allowing users to STEPLIB to it.
The exposure that my ancient Audit department focused on was devious
code that could be slipped into production in some random library
being STEPLIBed to in an individual job. Code like the legendary
(fairytale?) case of diverting fractions of a cent from accounts payable into
a private fund.
Someone would have to vet the source code, of course, but at least
there was an audit trail from source to production.
.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Peter Hunkeler
2017-12-20 11:42:55 UTC
Permalink
Raw Message
Post by Gibney, Dave
No. Unless SYS1.LINKLIB is also explicitly in the APF list, it won't be APF authorized when STEPLIB/JOBLIB'd. For the step to be authorized, all entries in STEPLIB/JOBLIB need to be explicitly authorized.
SYS1.LINKLIB and SYS1.SVCLIB are automatically added to the APF list at IPL. You don't need to specify them explicitly.
-- Peter Hunkeler

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jesse 1 Robinson
2017-12-20 18:39:06 UTC
Permalink
Raw Message
To clarify. Inclusion of an unauthorized library in JOBLIB/STEPLIB concatenation makes the entire list unauthorized. That is, the concatenation can *lose* authorization but not gain it. And SYS1.LINKLIB is always APF even if not explicitly named.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
***@sce.com


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Gibney, Dave
Sent: Tuesday, December 19, 2017 11:47 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: (External):Re: SYS1.LINKLIB and APF (Was: Cobol upgrade 6.2 linklist)

No. Unless SYS1.LINKLIB is also explicitly in the APF list, it won't be APF authorized when STEPLIB/JOBLIB'd. For the step to be authorized, all entries in STEPLIB/JOBLIB need to be explicitly authorized.
-----Original Message-----
On Behalf Of Lizette Koehler
Sent: Tuesday, December 19, 2017 3:47 PM
Subject: SYS1.LINKLIB and APF (Was: Cobol upgrade 6.2 linklist)
@Skip
Taking this discussion a little sideways.
I seem to remember that if you used SYS1.LINKLIB in a JOBLIB/STEPLIB
concatenation with other non-APF authorized libraries, because it is
SYS1.LINKLIB - the Joblib/Steplib would become APF Authorized whether
they were or not.
This was due to SYS1.LINKLIB would always be apf authorized by the
operating system.
Am I remembering this correctly or not?
Thanks
Lizette
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-
On Behalf Of Jesse 1 Robinson
Sent: Tuesday, December 19, 2017 3:36 PM
Subject: Re: Cobol upgrade 6.2 linklist
A linklist data set need not be authorized. If you specify
LNKAUTH=APFTAB in IEASYSxx, then an application library would be
authorized only if you created an APF entry for it. Assuming that
SYS2.PRODLIB is not APF, then there is no more danger in linklisting
it than
allowing users to STEPLIB to it.
The exposure that my ancient Audit department focused on was devious
code that could be slipped into production in some random library
being STEPLIBed to in an individual job. Code like the legendary
(fairytale?) case of diverting fractions of a cent from accounts
payable into
a private fund.
Someone would have to vet the source code, of course, but at least
there was an audit trail from source to production.
.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Loading...