z/OS UNIX System Services Planning
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Defining UNIX files as APF-authorized programs

z/OS UNIX System Services Planning
GA32-0884-00

The authorized program facility (APF) allows your installation to identify system or user programs that can use sensitive system functions. To be APF-authorized, programs must reside in APF-authorized libraries, and be link-edited with authorization code AC=1. The program must also be the initial program (that is, it must be the job step task program), or it was invoked by a caller that is running APF-authorized.

Rule: If the specified program is going to be invoked as a job step program, you must link-edit it with AC=1. For example: 
c89 -Wl, AC=1
To avoid possible integrity problems, do not set AC=1 if the program will be run in an APF-authorized environment but not as the job step program (such as DLL).

The APF rules for programs that reside in the z/OS® UNIX file system are similar to those for programs that reside in authorized libraries. Setting the APF-authorized extended attribute bit should be thought of as putting that program into an authorized library. If you try to run a program from an authorized library that is not linked AC=1, it will not run APF-authorized, but that same program could be fetched by another that is running APF-authorized and executed in the authorization state in which it is called, or even have its state changed.

Tip: To find out whether the APF-authorized extended attribute of the UNIX file was set, use the ls -E command.

Parent topic: Customizing the system for IBM-supplied daemons

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014