× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  • Subject: RE: Library List.
  • From: Neil Palmer <npalmer@xxxxxxxxxxx>
  • Date: Thu, 11 Dec 1997 17:34:59 -0600

Making sure *PUBLIC (and any evil programmers'  :-) ) have only *USE
access to QHLPSYS & QUSRSYS should suffice, instead of moving them to
the bottom of your library list (ie. prevent someone putting stuff in
there in the first place, then you don't need to worry about an
alternate version of a program being run from there).  This is
especially important if your system is pre V3R2 (CISC) or pre V3R7
(RISC).
And if you come back and say your programmers have *ALLOBJ authority
which would allow them access to make changes in QUSRSYS & QHLPSYS, then
you really have no security to worry about compromising do you ?   :-)

The "user" information in QUSRSYS are things like:
System Directory Entries
Distribution Lists
Personal Directories
OV/400 files (registration, calendars, nicknames, supplemental spelling
dictionaries etc.)
Files that contain the 'indexes' into the Folders/Documents in the QDOC
library
        (which is why it helps to ALWAYS do a SAVLIB QUSRSYS at the same
time as 
         a SAVDLO *ALL - it could save you time if you need to restore
it all).
SNADS Distribution Queues
TCP/IP configurations (Host tables, SMTP, POP, HTTP, LPD etc. configs)
IPX configurations
Server storage configuration
Journals & Journal Receivers
Output Queues created by auto-config when a printer device is created
Message queues created for user profiles
System Job Scheduler
Data areas used by IBM products
Data areas for ECS & TIE phone numbers
Data areas with user options for certain PTF's
Files used by Facsimile Support/400 & other IBM products
Data from RTVDSKINF
Data from running the Upgrade Assistant (CISC to RISC)
Other 'user' specific info on the system

Basically all user data contained in IBM supplied files.  You shouldn't
be using QSUSRSYS to store your own programs and files. (Leave that to
QGPL - the QGarbagePailLibrary).


... Neil Palmer                                     AS/400~~~~~      
... NxTrend Technology - Canada     ____________          ___  ~     
... Thornhill, Ontario,  Canada     |OOOOOOOOOO| ________  o|__||=   
... Phone: (905) 731-9000  x238     |__________|_|______|_|______)   
... Cell.: (416) 565-1682  x238      oo      oo   oo  oo   OOOo=o\   
... Fax:   (905) 731-9202         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
... mailto:NPalmer@NxTrend.com          http://www.NxTrend.com


        -----Original Message-----
        From:   John Earl [SMTP:johnearl@lns400.com]
        Sent:   Thursday, December 11, 1997 1:23 AM
        To:     MIDRANGE-L@midrange.com
        Subject:        Re: Library List.


        At 09:39 PM 12/9/97 -0500, you wrote:
        >"...for security reasons..."????? What security concerns would
have you move
        >these 2 system libraries to the bottom of the user list?
        >

        Walden,

        For starters, prior to V3R7 both libraries came shipped with
*PUBLIC
        authority *CHANGE, which means that a body could add a program
to this
        library that would get invoked instead of some legitimate
program.  This can
        be a security exposure when you have any sort of security rules
enforced by
        a program (which is common).  A classic example would be the
joe-programmer
        that puts a near replica of the payroll program in QUSRSYS, with
a minor
        modification that enriches the programmer in some way.  When
        Jane-payroll-clerk runs payroll, he calls joe-programmer's bogus
version (by
        virtue of it's place in the library list) and perfoms the dirty
deed under
        her own profile.  There are even simpler and more damaging
versions of this
        hack, but you get the idea.  Hacks like this can be difficult to
detect.
        I've worked at a couple of banks where all ad-hoc manipulations
of the
        library list were prohibited.  No ADDLIBLE, no CHGLIBLE, no
CHGJOBD, etc.
        Any program that had the ability to manipulate the library list
was
        scrutinized intensly.

        It's kind of a new concept to those of us who grew up using and
loving
        library lists, but it is a fact of AS/400 security.

        jte


        >-Walden
        >-----Original Message-----
        >From: MCPARTLAND, Stan <stanley.mcpartland@bently.com>
        >To: 'MIDRANGE-L@midrange.com' <MIDRANGE-L@midrange.com>
        >Date: Tuesday, December 09, 1997 3:26 PM
        >Subject: RE: Library List.
        >
        >
        >>If my memory serves me right, QUSRSYS and QHLPSYS first showed
up in
        >>1988 on the AS/400.  They were not present on the S/38.  We
have moved
        >>both libraries to the bottom of the user portion of the
library list
        >>for security reasons.  Some third party software has
difficulties with
        >>this, especially in the installation routines.  They replace
the user
        >>portion of the library list and assume that QUSRSYS and
QHLPSYS are in
        >>the system portion of the library list.  As long as you are
aware of
        >>this and investigate before running the installation you
should not
        >>have any problems.
        >>
        >>Regards,
        >>Stan
        >>------------------------------------------
        >>Stanley A. McPartland
        >>Bently Nevada Corporation
        >>1617 Water St; Minden, NV  89423  USA
        >>Voice: (702) 782-9339  Fax: (702) 782-1382
        >>E-mail: stanley.mcpartland@bently.com
        >>------------------------------------------
        --

        John Earl       Lighthouse Software Inc.
        8514 71st NW    Gig Harbor, WA 98335
        253-858-7388    johnearl@lns400.com
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---


As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.