ayoul3
commented
7 years ago mm no error msg? we can always add another check if there is no ICH* message. Do you have a stable string we can use for comparison ?
Open lnlyssg opened 7 years ago
ayoul3
commented
7 years ago mm no error msg? we can always add another check if there is no ICH* message. Do you have a stable string we can use for comparison ?
mainframed
commented
7 years ago This was always going to be the challenge with using REXX and parsing TSO command outputs. @ayoul3 and I have some assembler modules (thanks to a friend, DS) and I've been debating writing an assembler ELV.APF but:
There could be a way that we write a quick assembler stubb that the rexx compiles to a tmp dataset and then calls that for RACF checking.
lnlyssg
commented
7 years ago @ayoul3 I'm getting the text of the message, just without the preceding ICH35003I so it says "NO RACF DESCRIPTION FOUND FOR JIM.TEST.DATASET"
mainframed
commented
7 years ago Couldn't you just add that test to the 'check_priv' function? On this line?
https://github.com/ayoul3/Privesc/blob/master/ELV.APF#L200
Something like IF INDEX(OUT.1,"ICH35003I") >0 OR INDEX(OUT.1,"NO RACF DESCRIPTION FOUND") >0 THEN DO
lnlyssg
commented
7 years ago I currently have the below in place which works, if that looks OK to you I will submit a pull request this evening:
IF INDEX(OUT.1,"ICH35003I") >0 && ,
SUBSTR(OUT.1,1,19) = "NO RACF DESCRIPTION" THEN DO
@mainframed @ayoul3 I'm working on a system where the ICH* part of the message is being supressed so ELV.APF is only getting "NO RACF DESCRIPTION FOUND" without the preceding ICH35003I message (same for ICH408Is etc.) so it reports "NO RACF PROFILE" instead of checking further. I suspect this is a fringe case so didn't want to put a commit in to fix it at this point without discussing further.....