Programs stored in the HFS are unauthorized by default. Programs can be APF authorized by:
Contents supervision rejects attempts to an load unauthorized executable file from a
program which is running with APF authorization.
- using the APF extended attribute to mark individual executable files as authorized.
The BPX.FILEATTR.APF facility is used to control who can set this attribute. The extattr
command can be used to set extended attributes.
- Link-edit the program into an APF-authorized library and turn on the "sticky" bit
on the executable in the HFS.
To run APF authorized, a program must:
_BPX_SHAREAS=YES will be ignored if an authorized program is being executed from an
- have been linked with AC=1.
- be marked as APF authorized as described above.
- be running as the job step task. For batch jobs, this is normally the program loaded by
EXEC PGM=. For processes, the exec callable service does this.
APF-authorized programs can invoke SAF services to change identity. However, OS/390 Unix
provides some interfaces to certain RACROUTE functions which are not otherwise available
without APF authorization.
For more information, see