Discussion:
Linklist and APF
(too old to reply)
R.S.
2018-07-05 15:18:37 UTC
Permalink
I have job with the following steplib:

//STEPLIB  DD DISP=SHR,DSN=HLQ.LNKLST.LIB1
//                DD DISP=SHR,DSN=HLQ.LNKLST.LIB2
//                DD DISP=SHR,DSN=HLQ.NONLNK.LIB3

LIB1, and LIB2 reside in LNKLST, but not on APF.
LIB3 is not on LNKLST, but is APF-authorized.

The job works when all 3 libraries are in steplib concatenation. When I
remove LIB1 and LIB2 it doesn't work. Is it because lack of explicit APF
authirization?
LNKLST is authorized by IEASYS default entry.
--
Radoslaw Skorupka
Lodz, Poland




======================================================================


--
Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: ***@mBank.plSąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 0000025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2018 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 169.248.488 złotych.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Tom Marchant
2018-07-05 15:27:09 UTC
Permalink
//STEPLIB DD DISP=SHR,DSN=HLQ.LNKLST.LIB1
// DD DISP=SHR,DSN=HLQ.LNKLST.LIB2
// DD DISP=SHR,DSN=HLQ.NONLNK.LIB3
LIB1, and LIB2 reside in LNKLST, but not on APF.
LIB3 is not on LNKLST, but is APF-authorized.
So, the concatenation is not authorized.
The job works when all 3 libraries are in steplib concatenation. When I
remove LIB1 and LIB2 it doesn't work. Is it because lack of explicit APF
authirization?
"Doesn't work" in what way?
LNKLST is authorized by IEASYS default entry.
You mean you have LNKAUTH=LNKLST defaulted?
--
Tom Marchant

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Elardus Engelbrecht
2018-07-05 15:36:39 UTC
Permalink
//STEPLIB DD DISP=SHR,DSN=HLQ.LNKLST.LIB1
// DD DISP=SHR,DSN=HLQ.LNKLST.LIB2
// DD DISP=SHR,DSN=HLQ.NONLNK.LIB3
LIB1, and LIB2 reside in LNKLST, but not on APF.
LIB3 is not on LNKLST, but is APF-authorized.
The job works when all 3 libraries are in steplib concatenation.
In this concatenation, all or none should be APFed depending on the requirement of the program(s). I am a$$uming ALL the programs required for that job is sitting in any of those STEPLIB libraries.
When I remove LIB1 and LIB2 it doesn't work.
How so? Any messages or abends?
Is it because lack of explicit APF authirization?
Perhaps, but it depends where the program modules are fetched from. If a program is NOT fetched at all from any of those STEPLIB libraries, then Linklist is searched instead.

Groete / Greetings
Elardus Engelbrecht

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Steve Beaver
2018-07-05 18:02:09 UTC
Permalink
What does the PGM= do as coded?

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Elardus Engelbrecht
Sent: Thursday, July 5, 2018 10:37 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: Linklist and APF
//STEPLIB DD DISP=SHR,DSN=HLQ.LNKLST.LIB1
// DD DISP=SHR,DSN=HLQ.LNKLST.LIB2
// DD DISP=SHR,DSN=HLQ.NONLNK.LIB3
LIB1, and LIB2 reside in LNKLST, but not on APF.
LIB3 is not on LNKLST, but is APF-authorized.
The job works when all 3 libraries are in steplib concatenation.
In this concatenation, all or none should be APFed depending on the requirement of the program(s). I am a$$uming ALL the programs required for that job is sitting in any of those STEPLIB libraries.
When I remove LIB1 and LIB2 it doesn't work.
How so? Any messages or abends?
Is it because lack of explicit APF authirization?
Perhaps, but it depends where the program modules are fetched from. If a program is NOT fetched at all from any of those STEPLIB libraries, then Linklist is searched instead.

Groete / Greetings
Elardus Engelbrecht

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Barkow, Eileen
2018-07-06 13:59:32 UTC
Permalink
I am not sure if this is still true, but a while ago we had a problem whereby a program would only work from steplib and not a linklib.
It turned out that certain options such as RENT were only enforced if the module resided in an apf authorized linklib.
So our module had been link-edited with the RENT option but was not really reentrant, so it abended when the RENT attribute was enforced.

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Steve Beaver
Sent: Thursday, July 05, 2018 2:02 PM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: Linklist and APF

What does the PGM= do as coded?

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Elardus Engelbrecht
Sent: Thursday, July 5, 2018 10:37 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: Linklist and APF
//STEPLIB DD DISP=SHR,DSN=HLQ.LNKLST.LIB1
// DD DISP=SHR,DSN=HLQ.LNKLST.LIB2
// DD DISP=SHR,DSN=HLQ.NONLNK.LIB3
LIB1, and LIB2 reside in LNKLST, but not on APF.
LIB3 is not on LNKLST, but is APF-authorized.
The job works when all 3 libraries are in steplib concatenation.
In this concatenation, all or none should be APFed depending on the requirement of the program(s). I am a$$uming ALL the programs required for that job is sitting in any of those STEPLIB libraries.
When I remove LIB1 and LIB2 it doesn't work.
How so? Any messages or abends?
Is it because lack of explicit APF authirization?
Perhaps, but it depends where the program modules are fetched from. If a program is NOT fetched at all from any of those STEPLIB libraries, then Linklist is searched instead.

Groete / Greetings
Elardus Engelbrecht

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN


________________________________

This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Charles Mills
2018-07-06 14:31:59 UTC
Permalink
Let me put on my security preacher hat for a moment.

Yes, what Eileen says is a fact: there is no z/OS "enforcement" of RENT unless the program is from an APF library. You can easily get surprised by "where did that S0C4 come from?"

But that is not the big issue.

If you are getting "surprised" by "oh gosh, look at that, it's getting loaded from an APF library" then you do not have proper controls over what is probably THE most critical aspect of mainframe integrity, and as Barry Schrager observed at the dawn of mainframe security, without integrity there is no security. APF libraries are the keys to the kingdom. If I worked for you, and I were a malicious programmer, and I observed that if I did X and Y and Z then my program would end up in an APF library without any management or security review, then I OWN your mainframe. An APF-authorized program can do ANYTHING. Ray Overby and others have demonstrated at SHARE that just a few lines of obscure binary in an authorized program can give the user RACF SPECIAL and/or OPERATIONS/PRIVILEGED with NO AUDIT TRAIL WHATSOEVER, and from there on out the sky is the limit.

There are two pieces to APF authorization, AC=1 and the library. There are no controls over AC=1 -- any programmer can do it. It is up to you to control APF libraries rigorously.

Charles


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Barkow, Eileen
Sent: Friday, July 6, 2018 6:59 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: Linklist and APF

I am not sure if this is still true, but a while ago we had a problem whereby a program would only work from steplib and not a linklib.
It turned out that certain options such as RENT were only enforced if the module resided in an apf authorized linklib.
So our module had been link-edited with the RENT option but was not really reentrant, so it abended when the RENT attribute was enforced.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Seymour J Metz
2018-07-06 14:58:18 UTC
Permalink
Actually, there is no enforcement of RENT, period. A module linked with RENT can be shared between tasks, even if it updates common data without proper serialization. It didn't help thet Fetch ignored REFR.

BTW. OS/360 had some reentrant modules that were not refreshable. IMHO that is extremely bad form. AFAIK all of those have been cleaned up.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3

________________________________________
From: IBM Mainframe Discussion List <IBM-***@listserv.ua.edu> on behalf of Charles Mills <***@MCN.ORG>
Sent: Friday, July 6, 2018 10:31 AM
To: IBM-***@listserv.ua.edu
Subject: Re: Linklist and APF

Let me put on my security preacher hat for a moment.

Yes, what Eileen says is a fact: there is no z/OS "enforcement" of RENT unless the program is from an APF library. You can easily get surprised by "where did that S0C4 come from?"

But that is not the big issue.

If you are getting "surprised" by "oh gosh, look at that, it's getting loaded from an APF library" then you do not have proper controls over what is probably THE most critical aspect of mainframe integrity, and as Barry Schrager observed at the dawn of mainframe security, without integrity there is no security. APF libraries are the keys to the kingdom. If I worked for you, and I were a malicious programmer, and I observed that if I did X and Y and Z then my program would end up in an APF library without any management or security review, then I OWN your mainframe. An APF-authorized program can do ANYTHING. Ray Overby and others have demonstrated at SHARE that just a few lines of obscure binary in an authorized program can give the user RACF SPECIAL and/or OPERATIONS/PRIVILEGED with NO AUDIT TRAIL WHATSOEVER, and from there on out the sky is the limit.

There are two pieces to APF authorization, AC=1 and the library. There are no controls over AC=1 -- any programmer can do it. It is up to you to control APF libraries rigorously.

Charles


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-***@LISTSERV.UA.EDU] On Behalf Of Barkow, Eileen
Sent: Friday, July 6, 2018 6:59 AM
To: IBM-***@LISTSERV.UA.EDU
Subject: Re: Linklist and APF

I am not sure if this is still true, but a while ago we had a problem whereby a program would only work from steplib and not a linklib.
It turned out that certain options such as RENT were only enforced if the module resided in an apf authorized linklib.
So our module had been link-edited with the RENT option but was not really reentrant, so it abended when the RENT attribute was enforced.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Walt Farrell
2018-07-05 15:55:12 UTC
Permalink
//STEPLIB DD DISP=SHR,DSN=HLQ.LNKLST.LIB1
// DD DISP=SHR,DSN=HLQ.LNKLST.LIB2
// DD DISP=SHR,DSN=HLQ.NONLNK.LIB3
LIB1, and LIB2 reside in LNKLST, but not on APF.
LIB3 is not on LNKLST, but is APF-authorized.
The job works when all 3 libraries are in steplib concatenation. When I
remove LIB1 and LIB2 it doesn't work. Is it because lack of explicit APF
authirization?
LNKLST is authorized by IEASYS default entry.
It would help to know what you mean by "works" and "doesn't work".

But for a start, remember that LNKAUTH=LNKLST means that the libraries in the link list are all authorized *when they are accessed as part of the link list*. Therefore, your STEPLIB concatenation is *not* APF-authorized, because it contains LIB1 and LIB2 which are not APF-authorized in your usage.

My guess about what you mean by "doesn't work" is that once the job step is running APF-authorized (which will happen when you remove LIB1 and LIB2 from STEPLIB) you're getting an S0C4 abend because some program you're running claims to be RENT but isn't. When run APF-authorized it's loaded into protected storage, and when it tries to store into itself it gets the S0C4.
--
Walt

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Jantje.
2018-07-06 11:00:56 UTC
Permalink
Post by R.S.
The job works when all 3 libraries are in steplib concatenation. When I
remove LIB1 and LIB2 it doesn't work.
Maybe there is a same-name-different-content module in one of the other libs in linklist before lib1 and 2 ?


Jantje.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
R.S.
2018-07-06 14:01:39 UTC
Permalink
Human mistake, please disregard.
--
Radoslaw Skorupka
Lodz, Poland




======================================================================


--
Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorized to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: ***@mBank.plSąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 0000025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2018 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 169.248.488 złotych.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Paul Gilmartin
2018-07-06 16:21:22 UTC
Permalink
Post by Charles Mills
Let me put on my security preacher hat for a moment.
Yes, what Eileen says is a fact: there is no z/OS "enforcement" of RENT unless the program is from an APF library. You can easily get surprised by "where did that S0C4 come from?"
There's also REFRPROT nowadays. But that should have never been needed as an
option; it should have been the universal behaior ab ovo. How much extra would
it have cost to load user programs as well as system programs into write-protected
storage?
Post by Charles Mills
But that is not the big issue.
If you are getting "surprised" by "oh gosh, look at that, it's getting loaded from an APF library" then you do not have proper controls over what is probably THE most critical aspect of mainframe integrity, ...
-- gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN
Loading...