IBM Mainframe Forum Index
 
Log In
 
IBM Mainframe Forum Index Mainframe: Search IBM Mainframe Forum: FAQ Register
 

Copy a dataset without authorization


IBM Mainframe Forums -> TSO/ISPF
Post new topic   Reply to topic
View previous topic :: View next topic  
Author Message
Renato Zangerolami

New User


Joined: 06 Dec 2019
Posts: 28
Location: Brazil

PostPosted: Tue Feb 11, 2020 6:15 pm
Reply with quote

I would like to know if it is possible to copy a dataset that I do not have permission to read.
If it is possible to copy it, can I export it via ftp and try to open it?
Back to top
View user's profile Send private message
sergeyken

Senior Member


Joined: 29 Apr 2008
Posts: 2011
Location: USA

PostPosted: Tue Feb 11, 2020 6:40 pm
Reply with quote

It is possible only if you would be able to break your installation's security system.
Back to top
View user's profile Send private message
Joerg.Findeisen

Senior Member


Joined: 15 Aug 2015
Posts: 1231
Location: Bamberg, Germany

PostPosted: Tue Feb 11, 2020 10:39 pm
Reply with quote

Depending on your knowledge, you can try certain things your Security guys haven't taken care of. Be aware that unauthorized attempts to copy/process data can lead to new job opportunities in good or bad ways.
Back to top
View user's profile Send private message
Renato Zangerolami

New User


Joined: 06 Dec 2019
Posts: 28
Location: Brazil

PostPosted: Tue Feb 11, 2020 10:46 pm
Reply with quote

do you know any case in which it was possible to copy a file without proper authorization?
I imagine if I had a situation where I could route the group or user ...
Back to top
View user's profile Send private message
Joerg.Findeisen

Senior Member


Joined: 15 Aug 2015
Posts: 1231
Location: Bamberg, Germany

PostPosted: Tue Feb 11, 2020 11:03 pm
Reply with quote

Magicans never tell it's secrets if it would or have been possible in any way.
Back to top
View user's profile Send private message
enrico-sorichetti

Superior Member


Joined: 14 Mar 2007
Posts: 10872
Location: italy

PostPosted: Tue Feb 11, 2020 11:03 pm
Reply with quote

Quote:
do you know any case in which it was possible to copy a file without proper authorization?


NO

time to lock the topic
Back to top
View user's profile Send private message
Rohit Umarjikar

Global Moderator


Joined: 21 Sep 2010
Posts: 3048
Location: NYC,USA

PostPosted: Wed Feb 12, 2020 7:46 am
Reply with quote

Why steal data ? Security is installed To avoid such incidents, isn’t it ?

So answer to all your questions is NO.
Back to top
View user's profile Send private message
Pedro

Global Moderator


Joined: 01 Sep 2006
Posts: 2546
Location: Silicon Valley

PostPosted: Wed Feb 12, 2020 9:09 am
Reply with quote

Quote:
I imagine if I had a situation where I could route the group or user ..


I am not sure what that means.

Perhaps you meant to send a message to the user. You can use the SEND command. There is not a way to send a message to a group. You would have to have authority to list the group members and it is likely that you do not have that kind of authority (try LISTGRP command).
Back to top
View user's profile Send private message
Renato Zangerolami

New User


Joined: 06 Dec 2019
Posts: 28
Location: Brazil

PostPosted: Wed Feb 12, 2020 6:13 pm
Reply with quote

I believe that you rushed with your Rohit placement.
I saw on some sites saying that it was possible to copy an dataset without authorization to your racf and then export it via ftp. I found it a little simple and at least strange to be able to do that.
What I tried was to copy a dataset of no use to a co-worker (with his conscience) for testing purposes to see if it was possible, that's when I put this topic on the forum.
Many of you must know Phil Young, I saw something interesting about some security flaws related to Mainframe.
Back to top
View user's profile Send private message
enrico-sorichetti

Superior Member


Joined: 14 Mar 2007
Posts: 10872
Location: italy

PostPosted: Wed Feb 12, 2020 10:36 pm
Reply with quote

Quote:
I saw something interesting about some security flaws related to Mainframe.

certainly not related to dataset access

Quote:
I believe that you rushed with your Rohit placement.

none at all...
if a secured environment is in place, trying to circumvent it is EVERYWHERE cause for lawful terminator

Quote:
I saw on some sites saying that it was possible to copy an dataset without authorization to your racf and then export it via ftp.

so go ahead with those suggestion

and STOP the discussion
Back to top
View user's profile Send private message
Renato Zangerolami

New User


Joined: 06 Dec 2019
Posts: 28
Location: Brazil

PostPosted: Wed Feb 12, 2020 10:57 pm
Reply with quote

Thanks for the answer Enrico.
I will continue to research on my own.
Back to top
View user's profile Send private message
sergeyken

Senior Member


Joined: 29 Apr 2008
Posts: 2011
Location: USA

PostPosted: Thu Feb 13, 2020 12:02 am
Reply with quote

Back to top
View user's profile Send private message
Pedro

Global Moderator


Joined: 01 Sep 2006
Posts: 2546
Location: Silicon Valley

PostPosted: Thu Feb 13, 2020 4:21 am
Reply with quote

Renato, it is not possible for you to copy a data set for which you are not authorized. z/OS is very secure in that regard.

However, the security relies on proper implementation. If the security is not properly implemented, that is when some random person can copy your stuff.
Back to top
View user's profile Send private message
Pedro

Global Moderator


Joined: 01 Sep 2006
Posts: 2546
Location: Silicon Valley

PostPosted: Thu Feb 13, 2020 4:30 am
Reply with quote

Quote:
I saw on some sites saying that it was possible to copy an dataset without authorization to your racf


Maybe it is the terminology that is confusing...

The owner of the data set can create a RACF profile for the data set which allows anyone to read it. In that case, you do not need your RACF userid to be specifically authorized to the data set.

A variation is that the owner of the data set can create a RACF profile for the data set which allows a specific RACF group to have read access. If your RACF userid is a member of that RACF group, you do not need your RACF userid to be specifically authorized to the data set.
Back to top
View user's profile Send private message
steve-myers

Active Member


Joined: 30 Nov 2013
Posts: 917
Location: The Universe

PostPosted: Thu Feb 13, 2020 11:59 am
Reply with quote

Renato Zangerolami wrote:
I saw on some sites saying that it was possible to copy an dataset without authorization

Access rules, unfortunately, can be quite complex. It is possible to access a data set without your access right explicitly stated.
  • The first issue is matching a data set name to an access profile. Most data set access profiles are "generic" profiles and often have wild cards in the access profile name. For example, many - probably most - shops have a SYS1.** generic profile. Access to your data sets is often controlled by a userid.** generic profile. These profiles can have rather complex names, and matching the profile to a data set name can be complex. Many times when a user has access to a resource that he really should not access it's because the profile used by RACF is not the profile expected by the administrator.

    A few data set profiles are called "discrete" profiles. These profiles apply to one and only one data set. RACF administrators avoid discrete profiles because they do not disappear if the data set they control disappears. Getting rid of a dead discrete profile requires special handling by the RACF administrator.
  • After RACF determines the profile to use it examines the access permissions in the profile. Access can be specified by a group or an explicit user. In RACF all users are in one group or another. In theory these groups should have something to do with the organization, though, in practice, this is seldom true. Finally, if your access is not defined in this way, RACF examines the "universal access" (UACC) for the profile. The UACC for the SYS1.** profile is often READ. The UACC for your userid.** profile may be NONE.
There are some privileged users. For example, the users that manage the data sets generally have the OPERATIONS attribute assigned to their userids, which permit them to do just about anything to anyone's data sets. Security auditors check to see that OPERATIONS is assigned only to users that require this permission for their job assignment.
Back to top
View user's profile Send private message
Renato Zangerolami

New User


Joined: 06 Dec 2019
Posts: 28
Location: Brazil

PostPosted: Thu Feb 13, 2020 6:08 pm
Reply with quote

Thanks for clarifying my doubts Pedro and Steve.
exactly what happens in the environment where I work. There are times when it is only possible to view but not edit the file, it is also possible to copy the file for its user and then edit, in other cases it is not possible or even to view ...
Now it became clearer to me.
I found this very interesting material about RACF.
Perhaps many of you know him, but for those who do not know I will put here:

index-of.co.uk/Hacking-Coleccion/Mainframe%20Basics%20for%20Security%20Professionals%20-%20Getting%20Started%20with%20RACF.pdf

Thank you.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic View Bookmarks
All times are GMT + 6 Hours
Forum Index -> TSO/ISPF

 


Similar Topics
Topic Forum Replies
No new posts FINDREP - Only first record from give... DFSORT/ICETOOL 3
No new posts Map Vols and Problem Dataset All Other Mainframe Topics 2
No new posts VB to VB copy - Full length reached SYNCSORT 8
No new posts Allocated cylinders of a dataset DB2 12
No new posts Sort First/last record of a subset th... DFSORT/ICETOOL 7
Search our Forums:

Back to Top