|
View previous topic :: View next topic
|
| Author |
Message |
newroad
New User
Joined: 30 Oct 2015
Posts: 8
Location: India
|
|
|
|
I wish to test a vulnerability & need to know if I can run a job with a basic RACF command as an started task if I place this job in say SYS1.PROCLIB & then start the job as started task. And if I can do this will the RACF command execute if the Started task id assigned to the task has the required RACF authority.
Apparently I plan to perform this in a test environment. |
|
| Back to top |
|
 |
Willy Jensen
Active Member
Joined: 01 Sep 2015
Posts: 712
Location: Denmark
|
|
|
|
| sure. |
|
| Back to top |
|
|
Willy Jensen
Active Member
Joined: 01 Sep 2015
Posts: 712
Location: Denmark
|
|
|
|
To clarify: Yes you can have a job in a proclib and start it, it then becomes what is known as a started job. Some job statement parameters are ignored, like jobclass. But it allows things like JCLLIB statements. Obviously you cannot use it as a normal procedure with EXEC name.
And you must define it to the STARTED class in RACF.
Perhaps another approach can be used. Create a proc JOB like this:
| Code: |
//JOB PROC DS=your.joblib,M=
//JOB EXEC PGM=IEBGENER
//SYSPRINT DD DUMMY
//SYSIN DD DUMMY
//SYSUT1 DD DISP=SHR,DSN=&DS(&M)
//SYSUT2 DD SYSOUT=(,INTRDR) |
Then you do a S JOB,M= the membername where you have your job. That way you only have to define the JOB started task to RACF, not whatever job you want to run that way. This of course assumes that user inheritance is active.
You might want to hardcode the joblib name for security reasons, otherwise anyone who can do a START command can run a possible authorized job from their own library. |
|
| Back to top |
|
|
newroad
New User
Joined: 30 Oct 2015
Posts: 8
Location: India
|
|
|
|
Hi Wiley,
Thank you for your response.
I figured that I can do the test with a PROC too. I tried to start the PROC as started task instead of a JOB. I created a member named T12345T in SYS4.PROCLIB as below:
//T12345T PROC
//T12345T EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
ALU AB12345 NAME('TEST')
//
Am I doing something wrong here?
And it's throwing JCL error when I try to do /S T12345T. Which is possibly because of something which is not allowed in a PROC as you said (use of EXEC) or something else.
I'm not sure how the alternate approach you suggested (for JOB) will work.
I don't understand what is DS=your.joblib & what is M=
If I specify my personaly joblib & member outside of the PROCLIBS, how will it start the Started task? As far as I know I can only start PROC as a started task if it is inside of one of the designated PROCLIBS? |
|
| Back to top |
|
|
newroad
New User
Joined: 30 Oct 2015
Posts: 8
Location: India
|
|
|
|
Please ignore the above message. I was able to run the started task.
On to my test now.
Thanks for your help. |
|
| Back to top |
|
|
|
|
