Hi, Rob,
Yes, you could use a variable for the library name. Exactly how you do that varies depending on the language you are using. For example, in CL:
DCL &APPLIB *CHAR LEN(10) VALUE('APPOBJLIB')
...
/* get application library name */
RTVDTAARA DTAARA(APPLIB) RTNVAR(&APPLIB)
...
/* call some program in the application library */
CALL PGM(&APPLIB/APPPGM1R) PARM(&PARM1 &PARM2)
Of course, the details for how you can accomplish this feat in RPG/400, or ILE RPG IV, or COBOL, or C/400, are rather different. Further research is required, depending on what languages are in use in your shop.
This would require potentially massive changes to each application, to ensure that every program that CALLs another program follows these conventions.
SUMMARY
I think the issue with "unqualified" calls representing an "exposure" is mostly relevant to IBM supplied programs that have elevated authority, as demonstrated by the Silent Signal presentation.
The (supposed) "risks" of using the library list in the normal manner with normal end-user applications is probably not as much of a problem, unless the applications are invoking IBM APIs that adopt authority. Those calls should be "fully qualified" to prevent the kinds of exploits illustrated in the Silent Signal presentation.
This is an issue for software vendors who distribute applications, tools or software packages that are installed and used on customer systems.
All the best,
Mark S. Waterbury
On Wednesday, September 18, 2024 at 09:49:51 AM EDT, Rob Berendt <robertowenberendt@xxxxxxxxx> wrote:
Can the library name be a variable?
midrange.com
