APF Authorization
Programs stored in the HFS are unauthorized by default. Programs can be APF authorized by:
- using the APF extended attribute to mark individual executable files as authorized.
The BPX.FILEATTR.APF facility is used to control who can set this attribute. The extattr
command can be used to set extended attributes.
- Link-edit the program into an APF-authorized library and turn on the "sticky" bit
on the executable in the HFS.
Contents supervision rejects attempts to an load unauthorized executable file from a
program which is running with APF authorization.
To run APF authorized, a program must:
- have been linked with AC=1.
- be marked as APF authorized as described above.
- be running as the job step task. For batch jobs, this is normally the program loaded by
EXEC PGM=. For processes, the exec callable service does this.
_BPX_SHAREAS=YES will be ignored if an authorized program is being executed from an
unauthorized environment.
APF-authorized programs can invoke SAF services to change identity. However, OS/390 Unix
provides some interfaces to certain RACROUTE functions which are not otherwise available
without APF authorization.
For more information, see
