Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Defining UNIX files as APF-authorized programs z/OS UNIX System Services Planning GA32-0884-00 |
|
The authorized program facility (APF) allows your installation to identify system or user programs that can use sensitive system functions. To be APF-authorized, programs must reside in APF-authorized libraries, and be link-edited with authorization code AC=1. The program must also be the initial program (that is, it must be the job step task program), or it was invoked by a caller that is running APF-authorized. Rule: If the specified program is going to be invoked as
a job step program, you must link-edit it with AC=1. For example:
To
avoid possible integrity problems, do not set AC=1 if the program
will be run in an APF-authorized environment but not as the job step
program (such as DLL).The APF rules for programs that reside in the z/OS® UNIX file system are similar to those for programs that reside in authorized libraries. Setting the APF-authorized extended attribute bit should be thought of as putting that program into an authorized library. If you try to run a program from an authorized library that is not linked AC=1, it will not run APF-authorized, but that same program could be fetched by another that is running APF-authorized and executed in the authorization state in which it is called, or even have its state changed. Tip: To find out whether the APF-authorized extended attribute of the UNIX file was set, use the ls -E command. |
Copyright IBM Corporation 1990, 2014
|