View previous topic :: View next topic
|
Author |
Message |
Renato Zangerolami
New User
Joined: 06 Dec 2019 Posts: 28 Location: Brazil
|
|
|
|
I would like to know if it is possible to copy a dataset that I do not have permission to read.
If it is possible to copy it, can I export it via ftp and try to open it? |
|
Back to top |
|
|
sergeyken
Senior Member
Joined: 29 Apr 2008 Posts: 2119 Location: USA
|
|
|
|
It is possible only if you would be able to break your installation's security system. |
|
Back to top |
|
|
Joerg.Findeisen
Senior Member
Joined: 15 Aug 2015 Posts: 1306 Location: Bamberg, Germany
|
|
|
|
Depending on your knowledge, you can try certain things your Security guys haven't taken care of. Be aware that unauthorized attempts to copy/process data can lead to new job opportunities in good or bad ways. |
|
Back to top |
|
|
Renato Zangerolami
New User
Joined: 06 Dec 2019 Posts: 28 Location: Brazil
|
|
|
|
do you know any case in which it was possible to copy a file without proper authorization?
I imagine if I had a situation where I could route the group or user ... |
|
Back to top |
|
|
Joerg.Findeisen
Senior Member
Joined: 15 Aug 2015 Posts: 1306 Location: Bamberg, Germany
|
|
|
|
Magicans never tell it's secrets if it would or have been possible in any way. |
|
Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007 Posts: 10879 Location: italy
|
|
|
|
Quote: |
do you know any case in which it was possible to copy a file without proper authorization? |
NO
time to lock the topic |
|
Back to top |
|
|
Rohit Umarjikar
Global Moderator
Joined: 21 Sep 2010 Posts: 3075 Location: NYC,USA
|
|
|
|
Why steal data ? Security is installed To avoid such incidents, isn’t it ?
So answer to all your questions is NO. |
|
Back to top |
|
|
Pedro
Global Moderator
Joined: 01 Sep 2006 Posts: 2585 Location: Silicon Valley
|
|
|
|
Quote: |
I imagine if I had a situation where I could route the group or user .. |
I am not sure what that means.
Perhaps you meant to send a message to the user. You can use the SEND command. There is not a way to send a message to a group. You would have to have authority to list the group members and it is likely that you do not have that kind of authority (try LISTGRP command). |
|
Back to top |
|
|
Renato Zangerolami
New User
Joined: 06 Dec 2019 Posts: 28 Location: Brazil
|
|
|
|
I believe that you rushed with your Rohit placement.
I saw on some sites saying that it was possible to copy an dataset without authorization to your racf and then export it via ftp. I found it a little simple and at least strange to be able to do that.
What I tried was to copy a dataset of no use to a co-worker (with his conscience) for testing purposes to see if it was possible, that's when I put this topic on the forum.
Many of you must know Phil Young, I saw something interesting about some security flaws related to Mainframe. |
|
Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007 Posts: 10879 Location: italy
|
|
|
|
Quote: |
I saw something interesting about some security flaws related to Mainframe. |
certainly not related to dataset access
Quote: |
I believe that you rushed with your Rohit placement. |
none at all...
if a secured environment is in place, trying to circumvent it is EVERYWHERE cause for lawful terminator
Quote: |
I saw on some sites saying that it was possible to copy an dataset without authorization to your racf and then export it via ftp. |
so go ahead with those suggestion
and STOP the discussion |
|
Back to top |
|
|
Renato Zangerolami
New User
Joined: 06 Dec 2019 Posts: 28 Location: Brazil
|
|
|
|
Thanks for the answer Enrico.
I will continue to research on my own. |
|
Back to top |
|
|
sergeyken
Senior Member
Joined: 29 Apr 2008 Posts: 2119 Location: USA
|
|
Back to top |
|
|
Pedro
Global Moderator
Joined: 01 Sep 2006 Posts: 2585 Location: Silicon Valley
|
|
|
|
Renato, it is not possible for you to copy a data set for which you are not authorized. z/OS is very secure in that regard.
However, the security relies on proper implementation. If the security is not properly implemented, that is when some random person can copy your stuff. |
|
Back to top |
|
|
Pedro
Global Moderator
Joined: 01 Sep 2006 Posts: 2585 Location: Silicon Valley
|
|
|
|
Quote: |
I saw on some sites saying that it was possible to copy an dataset without authorization to your racf |
Maybe it is the terminology that is confusing...
The owner of the data set can create a RACF profile for the data set which allows anyone to read it. In that case, you do not need your RACF userid to be specifically authorized to the data set.
A variation is that the owner of the data set can create a RACF profile for the data set which allows a specific RACF group to have read access. If your RACF userid is a member of that RACF group, you do not need your RACF userid to be specifically authorized to the data set. |
|
Back to top |
|
|
steve-myers
Active Member
Joined: 30 Nov 2013 Posts: 917 Location: The Universe
|
|
|
|
Renato Zangerolami wrote: |
I saw on some sites saying that it was possible to copy an dataset without authorization |
Access rules, unfortunately, can be quite complex. It is possible to access a data set without your access right explicitly stated.
- The first issue is matching a data set name to an access profile. Most data set access profiles are "generic" profiles and often have wild cards in the access profile name. For example, many - probably most - shops have a SYS1.** generic profile. Access to your data sets is often controlled by a userid.** generic profile. These profiles can have rather complex names, and matching the profile to a data set name can be complex. Many times when a user has access to a resource that he really should not access it's because the profile used by RACF is not the profile expected by the administrator.
A few data set profiles are called "discrete" profiles. These profiles apply to one and only one data set. RACF administrators avoid discrete profiles because they do not disappear if the data set they control disappears. Getting rid of a dead discrete profile requires special handling by the RACF administrator.
- After RACF determines the profile to use it examines the access permissions in the profile. Access can be specified by a group or an explicit user. In RACF all users are in one group or another. In theory these groups should have something to do with the organization, though, in practice, this is seldom true. Finally, if your access is not defined in this way, RACF examines the "universal access" (UACC) for the profile. The UACC for the SYS1.** profile is often READ. The UACC for your userid.** profile may be NONE.
There are some privileged users. For example, the users that manage the data sets generally have the OPERATIONS attribute assigned to their userids, which permit them to do just about anything to anyone's data sets. Security auditors check to see that OPERATIONS is assigned only to users that require this permission for their job assignment. |
|
Back to top |
|
|
Renato Zangerolami
New User
Joined: 06 Dec 2019 Posts: 28 Location: Brazil
|
|
Back to top |
|
|
|