1

we are interested in blocking isrddn for some of the users. We are trying to do it without creating a shell of our own, is there something inside isrddn that will help? What is the easiest way to do it? Thank you!

cschneid
  • 9,037
  • 1
  • 28
  • 34
zohar mizrahi
  • 31
  • 4
  • 4
    What purpose is served by blocking access to ISRDDN? What is the actual problem you're trying to solve? – cschneid Mar 13 '17 at 13:58
  • ISRDDN also goes by another name, DDLIST, which is now a supported function of ISPF. – zarchasmpgmr Mar 13 '17 at 20:15
  • 1
    Even if you block access to ISRDDN the user can still run the TSO LISTALC command to get the same information. – David Crayford Mar 14 '17 at 03:48
  • 1
    Seconding what David Crayford says, information about allocated files is generally in memory, so even without DDLIST, TSO LISTALC, etc, a knowledgable user can iterate through all the allocated files any number of ways. This is "security through obscurity", and in my opinion, it's never a good idea - much better to put controls around the behavior you're really trying to protect. – Valerie R Mar 15 '17 at 00:32

1 Answers1

3

You can utilize Exit 3/4 (SELECT start and end exits). Exit 3 could be used to check for SELECT PGM(ISRDDN) and then do some sort of authorization check to see if the user is allowed to run the pgm. If not set rc=8 (or 16) to terminate the SELECT service with an authorization failure.. This would be how to do it using ISPF. There might be ways via your security software as well. A SELECT PGM(ISRDDN) will generate a LINK SVC for ISRDDN, so a hook in the LINK macro could do security checks. ISRDDN does a lot more than just the LISTALC function as can be seen by checking the tutorial. Keep in mind that ISPF is not authorized code and a "smart" programmer could write their own routines to do the same thing.

Marv Knight
  • 356
  • 1
  • 4
  • It would be interesting to hear *why* the OP wants to block ISRDDN, but this sounds like the right way to do it. – Steve Ives Mar 14 '17 at 12:51
  • Just a note on DDLIST/ISRDDN. This contains many functions of TASID as it was written by the same developer. For instance you have the BROWSE, LOAD, LPA, ENQ and other assorted primary commands that can be entered from within DDLIST. You can dynamically browse control blocks in storage with BROWSE. DDLIST can be quite useful in debugging. As Valerie mentioned blocking ISRDDN doesn't truly keep a knowledgeable user from getting the same info elsewhere. They just have to work harder. – Marv Knight Mar 15 '17 at 09:59