RE: Disallowing RTVCMDSRC -- MIDRANGE-L

Rob, could you add a command validation program to the RTVCLSRC command? 

Eric DeLong
Sally Beauty Company
MIS-Project Manager (BSG)
940-898-7863 or ext. 1863



-----Original Message-----
From: rob@xxxxxxxxx [mailto:rob@xxxxxxxxx]
Sent: Friday, December 19, 2003 10:45 AM
To: Midrange Systems Technical Discussion
Subject: Re: Disallowing RTVCMDSRC


Yes we are using Turnover.  I believe that we can justify the security. 
However, others always come up with the mythical emergency, which NEVER 
occurs.  It's a struggle.

Rob Berendt
-- 
"All creatures will make merry... under pain of death."
-Ming the Merciless (Flash Gordon)




"Keith Carpenter" <CarpCon@xxxxxxx> 
Sent by: midrange-l-bounces@xxxxxxxxxxxx
12/19/2003 11:02 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
"Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
cc

Fax to

Subject
Re: Disallowing RTVCMDSRC






Rob,

To your original question about RTVCMDSRC.  It cannot be disabled like you
can disable RTVCLSRC.   The reason is RTVCMDSRC works by reconstructing 
the
source from the actual CMD object.

RTVCLSRC works by reading a copy of the CL source stored in an associated
space of the CL program.  If the CLP is compiled ALWRTVSRC(*NO) then this
copy of source is not available for RTVCLSRC.


You could move the userid and password to the CL (with no debug or 
retrieve
source options), but your cleaver programmer may still be able to figure 
it
out.


Out of curiosity, do you use a source control or change management system 
on
your development box ?    If so, it seems you should be able to justify
setting up security just for that reason.


Keith





----- Original Message ----- 
From: <rob@xxxxxxxxx>
To: "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Sent: Friday, December 19, 2003 5:00 AM
Subject: RE: Disallowing RTVCMDSRC


> Will he still be able to see variable values?
> Probably doesn't matter, the program called was written by his brother,
> takes the user id and password and records them into a ftp script in
> qtemp, runs the ftp script and then deletes itself.
> In general I trust these fellows.  Just trying to be a good corporate
> citizen and not leave anything in the clear.
>
> Rob Berendt
> -- 
> "All creatures will make merry... under pain of death."
> -Ming the Merciless (Flash Gordon)
>
>
>
>
> Joe Giusto <jgiusto@xxxxxxxxxxxxxx>
> Sent by: midrange-l-bounces@xxxxxxxxxxxx
> 12/18/2003 07:36 PM
> Please respond to
> Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
>
>
> To
> Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
> cc
>
> Fax to
>
> Subject
> RE: Disallowing RTVCMDSRC
>
>
>
>
>
>
> Make the source type CLLE and compile (thru PDM) with option 14.  F4 to
> prompt, F10 for additional parms, pagedown and on the 'Debugging view'
> parm
> put *none.  Then when doing strdbg, he will see only (Source not
> available.)
>
> Joe Giusto II
> Programmer/Analyst
> Ritz Camera
> Beltsville, MD
> 301-479-3347
>
>  -----Original Message-----
> From:            rob@xxxxxxxxx [mailto:rob@xxxxxxxxx]
> Sent:            Thursday, December 18, 2003 4:15 PM
> To:              MIDRANGE-L@xxxxxxxxxxxx
> Subject:                 Disallowing RTVCMDSRC
>
>
> Due to the extremely weak security on our development machine, and the
> lack of permission to do anything about it, I kept the source off the
> system and thought I was being clever.  Well, the newest programmer, 
(who
> was working as an engineer at a different company before starting here 
and
>
> we just hired him as a programmer because he had the right aptitude and
> his brother and dad are good) figured out how to use RTVCMDSRC to
> decompile it.  (He wanted to change the size of the password and user id
> fields.)  Granted, even if I could figure out how to create this command
> so that RTVCMDSRC didn't work he'd figure it out (debug the CL program
> called - he told me this, dang these new guys are clever) I'd still like
> to do this if possible.  Is there some option on CRTCMD that would work?
>
> Rob Berendt
> -- 
> "All creatures will make merry... under pain of death."
> -Ming the Merciless (Flash Gordon)
>
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
> list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
>
>
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
>
>

_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.