|
midrange.com
Another scenario:
A user without *AllObj authority codes and creates a chgc0100 exit pgm.
A profile that does have *AllObj authority runs AddExitPgm to register the
chgc0100 exit pgm.
The exit pgm is then replaced by a user with existance rights to the exit pgm (
but no *AllObj special authority ).
The new exit pgm, which runs every time the registered cmd is used, and runs
with the authority of the job that calls it, contains code that checks to see
if the running user has *AllObj/*SecAdm authority. If so, it ....
You must have *AllObj and *SecAdm to register an exit pgm. Should not the exit
pgm itself have to be owned by a profile with *AllObj/*SecAdm ?
Otherwise, careless managing of the exit pgm could result in an exit pgm
running code you dont want it to run.
Steve Richter
---------- Original Message ----------------------------------
From: "srichter " <srichter@mail.autocoder.com>
Reply-To: MIDRANGE-L@midrange.com
Date: Tue, 31 Jul 2001 21:07:31 -0400
>
>>/* */
>>/* Use the following CL command to cause the DEFAULT program */
>>/* to be called each time anyone uses the CRTRPGPGM CL command. */
>>/* */
>>/* ADDEXITPGM EXITPNT(QIBM_QCA_CHG_COMMAND) FORMAT(CHGC0100) */
>>/* PGMNBR(*LOW) PGM(your-library/DEFAULT) */
>>/* PGMDTA(*JOB 20 'CRTRPGPGM QSYS ') */
>>/* */
>
>
>Is this exit point a potential security violation?
>
>Could the GrtObjAut cmd be registered as a *Chgc0100 exit pgm. Then the exit
>pgm would see all GrtObjAut command strings run on the entire system?
>
>Could the exit pgm chg the GrtObjAut cmd string to grant the authority to
>another user profile without the executing pgm knowing about it?
>
>If the FireEmployee cmd in the personnel system is registered in this way,
>will the exit pgm see each execution of this command? Even if the exit pgm
>owner is not authorized to the personnel system library?
>
>Is authority to the AddExitPgm the only restriction that prevents these
>scenarios?
>
>Steve Richter
>
>---------- Original Message ----------------------------------
>From: "Ed Fishel" <edfishel@us.ibm.com>
>Reply-To: MIDRANGE-L@midrange.com
>Date: Tue, 31 Jul 2001 16:13:40 -0500
>
>>
>>Jim Langston wrote:
>>>>I tried to add a default value to the CRTRPGPGM command for the OPTION
>>parameter for *SRCDBG to always compile with debug information. . . . <<
>>
>>There has been lots of discussion on how to solve this problem. For those
>>of you on a V4R5 or V5R1 system there is one solution that has not been
>>discussed yet. Use a change command exit program to add a "default" OPTION
>>parameter when one is not specified. Here is the CL program that does just
>>that. I did a few simple texts of this program and it seems to work. Be
>>sure that you also text it before turning it on for everyone.
>>
>>/******************************************************************/
>>/* */
>>/* Program name: DEFAULT */
>>/* */
>>/* The purpose of this program is to provide a default of */
>>/* OPTION(*SRCDBG) to the CRTRPGPGM command. The way it works */
>>/* is by making a modified copy of the command string and */
>>/* telling the OS/400 Command Analyzer to process the modified */
>>/* copy instead of the original entered by the user. */
>>/* */
>>/* Use the following CL command to create the DEFAULT program */
>>/* in a library of your choice. */
>>/* */
>>/* CRTCLPGM PGM(your-library/DEFAULT) */
>>/* SRCFILE(your-library/source-file) */
>>/* */
>>/* Use the following CL command to cause the DEFAULT program */
>>/* to be called each time anyone uses the CRTRPGPGM CL command. */
>>/* */
>>/* ADDEXITPGM EXITPNT(QIBM_QCA_CHG_COMMAND) FORMAT(CHGC0100) */
>>/* PGMNBR(*LOW) PGM(your-library/DEFAULT) */
>>/* PGMDTA(*JOB 20 'CRTRPGPGM QSYS ') */
>>/* */
>>/******************************************************************/
>> PGM PARM(&EXITINFO &RPLCMD &RPLLEN)
>> DCL &EXITINFO *CHAR 4000
>> DCL &RPLCMD *CHAR 3950
>> DCL &RPLLEN *CHAR 4
>> DCL &ALWCHG *CHAR 1 /* change allowed ? */
>> DCL &OFFSET *DEC (6 0) /* offset to command */
>> DCL &CMDLEN *DEC (6 0) /* length of command */
>> DCL &PL *DEC (3 0) 7 /* length of parameter */
>> DCL &PRM *CHAR 7 'OPTION(' /* parameter */
>> DCL &AL *DEC (3 0) 16 /* length of parmater to +
>> be added */
>> DCL &ADDPARM *CHAR 16 ' OPTION(*SRCDBG)' +
>> /* parameter to add */
>> DCL &INDEX *DEC (6) 1 /* index into command */
>>
>> CHGVAR VAR(%BIN(&RPLLEN)) VALUE(0) /* set return +
>> parameter to indicate the command has +
>> not been changed yet */
>>
>> /* Extract values from the input parameter structure. */
>> CHGVAR VAR(&ALWCHG) VALUE(%SST(&EXITINFO 49 1)) +
>> /* get command is allowed to be +
>> changed indicator */
>> CHGVAR VAR(&OFFSET) VALUE(%BIN(&EXITINFO 53 4)) +
>> /* get offset to command string */
>> CHGVAR VAR(&OFFSET) VALUE(&OFFSET + 1) /* add +
>> 1 because CL offset start at 1 +
>> instead of 0 */
>> CHGVAR VAR(&CMDLEN) VALUE(%BIN(&EXITINFO 57 4)) +
>> /* get length of command string */
>>
>> IF COND(&CMDLEN > 3930) THEN(RETURN) /* exit +
>> if the command is too big to fit in +
>> the return variable */
>>
>> CHGVAR VAR(&RPLCMD) VALUE(%SST(&EXITINFO &OFFSET +
>> &CMDLEN)) /* copy input command to +
>> output parameter */
>>
>> /* Search to see if the parameter already exists on the */
>> /* command. If it does then we do not need add a default. */
>> LOOP1: IF COND(((&INDEX + &PL) < &CMDLEN) *AND +
>> (%SST(&RPLCMD &INDEX &PL) = &PRM)) +
>> THEN(RETURN) /* the parameter was +
>> already specified - so we are done */
>>
>> CHGVAR VAR(&INDEX) VALUE(&INDEX + 1) /* move to +
>> next character */
>> IF COND((&INDEX + &PL) < &CMDLEN) THEN(GOTO +
>> CMDLBL(LOOP1)) /* if there is room go +
>> back and search some more */
>>
>> IF COND(&ALWCHG = '1') THEN(DO) /* can the +
>> command be changed */
>> CHGVAR VAR(&INDEX) VALUE(&CMDLEN + 1) /* set +
>> command index to the end of the command */
>> CHGVAR VAR(%SST(&RPLCMD &INDEX &AL)) +
>> VALUE(&ADDPARM) /* add parameter */
>> CHGVAR VAR(%BIN(&RPLLEN)) VALUE(&INDEX + &AL) /* +
>> set return parameter to the new +
>> command length */
>> ENDDO /* end of the command can be changed */
>>
>> ENDPGM
>>
>>During the discussion Rob Berendt added:
>>>> But isn't IBM starting to hardcode QSYS on every command call? And
>>getting even more extensive with future releases? Let's say that they
>>change PDM so that option 14 uses QSYS/commandname. Kinda hoses you. <<
>>
>>IBM cannot hardcode QSYS on every command call because if we did, the
>>command would sometimes use the wrong language when it was prompted. (It
>>would only find the command in QSYS instead of a secondary language
>>library.) IBM is coding *NLVLIBL and *SYSTEM on more and more command
>>calls. Commands that are library qualified with *NLVLIBL and *SYSTEM can
>>still be replaced by a change command exit program like the one above.
>>
>>Ed Fishel,
>>edfishel@US.IBM.COM
>>
>>
>>+---
>>| This is the Midrange System Mailing List!
>>| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
>>| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
>>| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
>>| Questions should be directed to the list owner/operator: david@midrange.com
>>+---
>>
>+---
>| This is the Midrange System Mailing List!
>| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
>| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
>| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
>| Questions should be directed to the list owner/operator: david@midrange.com
>+---
>
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
