CHKCMDQLFN -- Check Command Qualified Name

CHKCMDQLFN CHECK COMMAND QUALIFIED NAME TAASEID
The Check Command Qualified Name command checks the parameters from CRTCMD that support qualified names to ensure that if a program is specified that the library qualifier is not LIBL. Using LIBL from a command that is used in a program that adopts authority presents a security exposure where a bogus program could be used. An ALLOBJ user is required to run CHKCMDQLFN. The following qualified parameters are checked because they may be used as bogus programs: - PGM Command processing program - PMTOVRPGM Prompt override program - VLDCKR Validity checker program The following qualified parameters are also checked, but do not represent security exposures. An unqualified parameter may cause confusion if a different version is found on the library list: - MSGF Message file - PMTFILE Prompt text file - HLPPNLGRP Help panel group - HLPSCHIDX Help search index A typical command would be: CHKCMDQLFN LIB(xxx) All commands in the specified library would be checked. The default is to list only those commands with exceptions. Any use of LIBL would be flagged for one of the parameters that supports a qualified name. Because the default for CRTCMD is MSGF(LIBL/QCPFMSG), an exception is only noted if a message file name other than QCPFMSG is found with LIBL. Additional considerations ------------------------- During SEU syntax checking and CL program compilation, a command validity checking program would be run if specified with a library qualifier of LIBL. A prompt override program could also be used during SEU. This may also represent a security exposure. Specifying CURLIB as the library qualifier for command parameters that support a qualified name causes the current library at the time of command creation to be the qualified library name. Because of this approach, using CURLIB can be considered the same as an actual library name. CHKCMDQLFN escape messages you can monitor for ---------------------------------------------- TAA9892 No command objects were found in the libraries Escape messages from based on functions will be re-sent. CHKCMDQLFN Command parameters CMD ----------------------------- LIB The list of libraries to be processed. Up to 300 libraries may be entered (including generic names) or the special values LIBL, USRLIBL, CURLIB, ALLUSR, ALLUSR2, ALLNONQ, IBM, or ALL. For LIBL and USRLIBL, if a current library exists, it will be written as a record before the records for the user portion of the library list. If the current library is also part of the user portion of the library list, it will only appear once (it is removed from the user portion list). ALLUSR omits certain # libraries such as #RPGLIB. ALLUSR also omits all Q libraries with certain exceptions such as QGPL. See the help text for the SAVLIB command for a complete list. Note that if you have your own library which begins with Q, it is omitted. IBM causes all libraries to be included based on the definition for DSPOBJD LIB(IBM). ALLUSR2 is similar to ALLUSR. It omits the same # libraries, but also omits any library beginning with Q. Note that if you have your own library which begins with Q, it is omitted. ALLNONQ means any library that does not begin with the letter Q. If ALLNONQ is used, the ASPDEV parameter must use the default. CMD The command name to be checked. ALL is the default. A specific command name may be entered. ASPDEV Specifies the auxiliary storage pool (ASP) device name where storage for the library containing the object is allocated. If the library resides in an ASP that is not part of the thread's library name space, this parameter must be specified to ensure the correct library is searched. The parameter can be specified as a list of two values (elements) or as a single value. The possible single values are: * = The ASPs that are currently part of the thread's library name space will be searched to locate the library. This includes the system ASP (ASP 1), all defined basic user ASPs (ASPs 2-32), and, if the thread has an ASP group, the primary and secondary ASPs in the thread's ASP group. ALLAVL = All available ASPs will be searched. This includes the system ASP (ASP 1), all defined basic user ASPs (ASPs 2-32), and all available primary and secondary ASPs, (ASPs 33-255) with a status of 'Available'. CURASPGRP = If the thread has an ASP group, the primary and secondary ASPs in the thread's ASP group will be searched. The system ASP (ASP 1) and defined basic user ASPs (ASPs 2-32) will not be searched. If no ASP group is associated with the thread, an error will be issued. SYSBAS = The system ASP (ASP 1) and all defined basic user ASPs (ASPs 2-32) will be searched to locate the library. No primary or secondary ASPs will be searched even if the thread has an ASP group. Element 1: Device The device name of the primary or secondary ASP to be searched. The primary or secondary ASP must have been activated (by varying on the ASP device) and have a status of 'Available'. The system ASP (ASP 1) and defined user basic ASPs (ASPs 2-32) will not be searched. Element 2: Search type ASP = Specifies that only the single auxiliary storage pool (ASP) device named in element 1 is to be searched. ASPGRP = Specifies that the entire group of the primary auxiliary storage pool (ASP) device named in element 1 is to be searched. ASPNBR The ASP number for the libraries that are to be converted. The default is ALL. A number in the range of 1-99 may be entered to subset the libraries that are output by the LIB and ASPDEV parameters. OMITLIB A list of up to 300 libraries or generic library names that should be omitted. NONE is the default. The TAATOOL library is implicitly omitted. An omit list may not be entered for LIB(CURLIB). If ESCAPE(YES) is specified, any library entered is checked for existence unless a non-default value is used for the ASPDEV parameter. No check occurs to see if an omit library would have been selected. For example, if LIB(LIBL) is entered with OMITLIB(ABC) and library ABC is not on the library list, no error occurs. EXCPTONLY A YES/NO parameter for whether to list all commands or only those with exceptions. YES is the default to list only those with exceptions. NO may be specified to list all commands. OUTPUT How to output the results. * is the default to display the spooled file if the command is entered interactively. The spooled file is deleted after it is displayed. If the command is entered in batch or PRINT is specified, the spooled file is output and retained. Restrictions ------------ An ALLOBJ user is required to run CHKCMDQLFN. REXX programs are not considered. Prerequisites ------------- The following TAA Tools must be on your system: CHKALLOBJ Check ALLOBJ special authority CHKDUPLST Check duplicates in list CHKGENERC Check generic CHKGENOBJ Check generic object CHKOBJ3 Check object 3 CMPLSTPARM Compare list parm CRTDUPPF Create duplicate PF CVTCMDA Convert command attributes EDTVAR Edit variable EXTLST Extract list EXTLST2 Extract list 2 RTVSYSVAL3 Retrieve system value 3 SNDCOMPMSG Send completion message SNDESCINF Send escape information SNDESCMSG Send escape message SNDJLGMSG Send job log message SNDSTSMSG Send status message Implementation -------------- None, the tool is ready to use. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- CHKCMDQLFN CMD TAASEID QATTCMD TAASEIDC PGM CLP TAASEIDC QATTCL TAASEIDR PGM RPG TAASEIDR QATTRPG

CHKCMDQLFN      CHECK COMMAND QUALIFIED NAME           TAASEID


The Check  Command Qualified  Name command  checks the parameters  from
CRTCMD  that support  qualified names to  ensure that  if a  program is
specified  that the library  qualifier is not *LIBL.   Using *LIBL from
a command that is  used in a program  that adopts authority presents  a
security exposure where a bogus program could be used.

An *ALLOBJ user is required to run CHKCMDQLFN.

The  following qualified  parameters are  checked because  they  may be
used as bogus programs:

         - PGM         Command processing program
         - PMTOVRPGM   Prompt override program
         - VLDCKR      Validity checker program

The  following  qualified  parameters  are  also  checked,  but do  not
represent security  exposures.    An unqualified  parameter  may  cause
confusion if a different version is found on the library list:

         - MSGF        Message file
         - PMTFILE     Prompt text file
         - HLPPNLGRP   Help panel group
         - HLPSCHIDX   Help search index

A typical command would be:

             CHKCMDQLFN   LIB(xxx)

All commands  in the specified library  would be checked.   The default
is  to list  only those  commands with  exceptions.   Any use  of *LIBL
would be flagged for  one of the parameters  that supports a  qualified
name.

Because the  default for  CRTCMD is  MSGF(*LIBL/QCPFMSG), an  exception
is only noted  if a message file name other  than QCPFMSG is found with
*LIBL.

Additional considerations
-------------------------

During  SEU  syntax  checking  and CL  program  compilation,  a command
validity checking  program would  be run  if specified  with a  library
qualifier  of *LIBL.   A  prompt override  program could  also  be used
during SEU.  This may also represent a security exposure.

Specifying  *CURLIB  as the  library qualifier  for  command parameters
that support a qualified  name causes the current  library at the  time
of  command creation  to be  the qualified  library name.   Because  of
this  approach, using *CURLIB can  be considered the same  as an actual
library name.

CHKCMDQLFN escape messages you can monitor for
----------------------------------------------

      TAA9892    No command objects were found in the libraries

Escape messages from based on functions will be re-sent.

CHKCMDQLFN Command parameters                         *CMD
-----------------------------

   LIB           The list  of libraries  to be  processed.   Up to  300
                 libraries  may be  entered  (including generic  names)
                 or  the   special  values  *LIBL,  *USRLIBL,  *CURLIB,
                 *ALLUSR, *ALLUSR2, *ALLNONQ, *IBM, or ALL.

                 For  *LIBL and *USRLIBL, if  a current library exists,
                 it will  be written  as  a record  before the  records
                 for  the user  portion of  the library  list.   If the
                 current  library is also  part of the  user portion of
                 the library  list, it  will only  appear  once (it  is
                 removed from the user portion list).

                 *ALLUSR  omits certain  # libraries  such as  #RPGLIB.
                 *ALLUSR  also  omits  all  Q  libraries  with  certain
                 exceptions such as QGPL.   See the  help text for  the
                 SAVLIB command  for  a complete  list.   Note that  if
                 you have  your own library which begins  with Q, it is
                 omitted.

                 *IBM  causes  all libraries  to  be included  based on
                 the definition for DSPOBJD LIB(*IBM).

                 *ALLUSR2 is similar to  *ALLUSR.  It omits the  same #
                 libraries, but  also omits any  library beginning with
                 Q.    Note that  if you  have  your own  library which
                 begins with Q, it is omitted.

                 *ALLNONQ means any  library that  does not begin  with
                 the  letter  Q.    If *ALLNONQ  is  used,  the  ASPDEV
                 parameter must use the default.

   CMD           The  command  name   to  be  checked.    *ALL  is  the
                 default.

                 A specific command name may be entered.

   ASPDEV        Specifies the  auxiliary  storage  pool  (ASP)  device
                 name  where storage  for  the library  containing  the
                 object  is allocated.   If the  library resides  in an
                 ASP  that  is not  part of  the thread's  library name
                 space, this  parameter  must  be specified  to  ensure
                 the correct library is searched.

                 The  parameter  can be  specified  as  a  list of  two
                 values   (elements)  or  as  a   single  value.    The
                 possible single values are:

                 * = The ASPs that  are currently part of the  thread's
                 library  name space  will  be searched  to locate  the
                 library.   This includes  the system ASP  (ASP 1), all
                 defined basic  user  ASPs  (ASPs 2-32),  and,  if  the
                 thread has  an ASP  group, the  primary and  secondary
                 ASPs in the thread's ASP group.

                 *ALLAVL =  All available ASPs will be  searched.  This
                 includes  the system  ASP (ASP  1), all  defined basic
                 user ASPs (ASPs  2-32), and all available  primary and
                 secondary  ASPs,  (ASPs  33-255)   with  a  status  of
                 'Available'.

                 *CURASPGRP  =  If the  thread  has an  ASP  group, the
                 primary and secondary ASPs  in the thread's ASP  group
                 will  be  searched.    The  system  ASP  (ASP  1)  and
                 defined  basic  user  ASPs  (ASPs  2-32)  will not  be
                 searched.   If no  ASP group  is associated  with  the
                 thread, an error will be issued.

                 *SYSBAS  = The  system  ASP (ASP  1)  and all  defined
                 basic  user  ASPs  (ASPs  2-32)  will be  searched  to
                 locate  the  library.   No  primary or  secondary ASPs
                 will  be searched  even  if  the  thread  has  an  ASP
                 group.

                 Element 1: Device

                 The  device name of  the primary  or secondary  ASP to
                 be  searched.  The primary or  secondary ASP must have
                 been activated  (by  varying on  the ASP  device)  and
                 have a  status of  'Available'.   The system  ASP (ASP
                 1)  and defined user  basic ASPs (ASPs  2-32) will not
                 be searched.

                 Element 2: Search type

                 *ASP  =  Specifies  that  only  the  single  auxiliary
                 storage pool  (ASP) device  named in  element 1 is  to
                 be searched.

                 *ASPGRP  =  Specifies that  the  entire  group of  the
                 primary  auxiliary storage pool  (ASP) device named in
                 element 1 is to be searched.

   ASPNBR        The  ASP number  for  the  libraries that  are  to  be
                 converted.  The default is *ALL.

                 A  number in  the  range  of 1-99  may  be entered  to
                 subset  the libraries that  are output by  the LIB and
                 ASPDEV parameters.

   OMITLIB       A list  of  up to  300  libraries or  generic  library
                 names that should  be omitted.  *NONE  is the default.

                 The TAATOOL library is implicitly omitted.

                 An omit list may not be entered for LIB(*CURLIB).

                 If  ESCAPE(*YES) is specified, any  library entered is
                 checked for existence  unless a  non-default value  is
                 used for the ASPDEV parameter.

                 No check occurs to  see if an omit library  would have
                 been  selected.     For  example,   if  LIB(*LIBL)  is
                 entered  with OMITLIB(ABC)  and library ABC  is not on
                 the library list, no error occurs.

   EXCPTONLY     A  *YES/*NO   parameter  for  whether   to  list   all
                 commands or only those with exceptions.

                 *YES  is   the  default   to  list  only   those  with
                 exceptions.

                 *NO may be specified to list all commands.

   OUTPUT        How  to  output the  results.    * is  the  default to
                 display the  spooled file  if the  command is  entered
                 interactively.  The  spooled file is deleted  after it
                 is displayed.

                 If  the  command  is entered  in  batch  or *PRINT  is
                 specified, the spooled  file is  output and  retained.

Restrictions
------------

An *ALLOBJ user is required to run CHKCMDQLFN.

REXX programs are not considered.

Prerequisites
-------------

The following TAA Tools must be on your system:

     CHKALLOBJ       Check *ALLOBJ special authority
     CHKDUPLST       Check duplicates in list
     CHKGENERC       Check generic
     CHKGENOBJ       Check generic object
     CHKOBJ3         Check object 3
     CMPLSTPARM      Compare list parm
     CRTDUPPF        Create duplicate PF
     CVTCMDA         Convert command attributes
     EDTVAR          Edit variable
     EXTLST          Extract list
     EXTLST2         Extract list 2
     RTVSYSVAL3      Retrieve system value 3
     SNDCOMPMSG      Send completion message
     SNDESCINF       Send escape information
     SNDESCMSG       Send escape message
     SNDJLGMSG       Send job log message
     SNDSTSMSG       Send status message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   CHKCMDQLFN    *CMD                   TAASEID       QATTCMD
   TAASEIDC      *PGM       CLP         TAASEIDC      QATTCL
   TAASEIDR      *PGM       RPG         TAASEIDR      QATTRPG

Added to TAA Productivity tools July 15, 2009

Home Page

Up to Top