IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Future consideration
Workspace z/OS
Categories DFSMS DSS
Created by Guest
Created on Jul 28, 2017

RELATED IDEAS

Unconditionally allow renames of datasets within DFDSS dump dataset

If I do a DFDSS (ADRDSSU) backup of a dataset such as SED.JCL, and then take that backup to another site that doesn't have the HLQ of "SED", but the user (SCOTT) does have access to a HLQ of "SCOTT" and he then attempts a restore, like this:

RESTORE DATASET( -
...
RENAMEU((SED.**,SCOTT.**))

he gets the following errors:

22.50.37 JOB06585 ACF99913 ACF2 VIOLATION-00,09,AIMI080,SEASIK,SED.JCL,N/A

ADR402E (002)-AUTH (16), AUTHORIZATION CHECK FAILED FOR DATA SET SED.JCL, ON VOLUME SEASIK, 4

DFDSS has gone out of its way to check that the user has access to "SED", even though the user is neither reading nor writing any dataset with an HLQ of SED. Instead, he is reading a DFDSS dump called SCOTT.DFDSS which he ftped from the internet, and is then attempting to write to another dataset called SCOTT.JCL, both of which he has access to.

If the user uses the "ADMINISTRATOR" keyword, then the check for the "SED" HLQ is omitted. The trouble is that SCOTT may not have access to that keyword, and nor should he need access to that keyword.

If this RACF check against "SED" is meant to provide security, then it is unfortunately a case of false security. Because so long as he has RACF access to the DFDSS dataset (regardless of whether the dataset was obtained from the internet, or is a local backup), then he does in fact have read access to all the datasets on that backup. An unprivileged DFDSS clone could be written to retrieve the files with no security check. Or, even more practical, is a small, unprivileged program like this:

http://pdos.cvs.sourceforge.net/viewvc/pdos/pdos/pdpclib/dssrenam.c?view=markup

(also attached to this request)

which can rename all the "SED" references to "SCOTT", or rename "SECRET" to "SCOTT", or rename "PROD" to "SCOTT". It does this by direct manipulation of the DFDSS dump dataset, which SCOTT has access to, so that there are no "SED" references anymore, and all "security" has been bypassed. A normal (non-admin) DFDSS restore (exactly the same as above) will no longer get security violations, because "SED" is no longer visible, only "SCOTT" is visible.

I think giving people a false sense of security is dangerous. As such, I think that RACF check should be omitted, at least by default. If the sysprog wishes to change a default FALSE_SECURITY=NO to FALSE_SECURITY=YES, to do that additional RACF check in non-administrator mode, I guess that can be allowed, but I really don't think that option should be there at all, as it means that my "dssrenam" program will still be required (for eternity), to bypass that false security. I would rather retire the "dssrenam" utility.

Idea priority Low
  • Guest
    Reply
    |     May 3, 2022

    This option has been available for many years via the NEWNAMEU keyword which changes the datasets on the DUMP to the new desired names. Unfortunately it is not like running a standard DFDSS DUMP, NEWNAMEUNCONDITIONAL can only be used when invoking DFSMSdss through the application programming interface (API).

  • Guest
    Reply
    |     Aug 5, 2017

    Hi Robert. Thanks for that suggestion. I just looked up the DFDSS manual, and "IMPORT" is also RACF protected: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.3.0/com.ibm.zos.v2r3.adru000/dgt3u2164.htm "To specify IMPORT, you must have the proper RACF® facility class authorization.". So this is another case of false security. If a user does not have access to the "IMPORT" keyword, then he instead needs an unauthorized program like the one I wrote to change the dataset names to something he has access to. Or did I misread the manual?

  • Guest
    Reply
    |     Aug 5, 2017

    Hi, Have you considered using the IMPORT keyword on the RESTORE command? IMPORT tells DFSMSdss to treat the data set being restored as a new data set being introduced to the system. This causes DFSMSdss to skip that check on 'SED' in this case. Please let me know if you have tried this and whether or not it would address your request. Thank you, Robert Gensler

  • Guest
    Reply
    |     Jul 28, 2017

    Attachment (Description): Utility to bypass DFDSS security

    dssrenam.c
    dssrenam.c
     dssrenam.c
    Open full size
    dssrenam.c

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.