× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. July 2004

Re: Adopted authority vs profile switching

Rob,

I think profile switching should only be done in batch jobs at night time, not 
in interactive jobs. And I also think, that profile swapping is (still) a great 
security hole.

I do not want to know what could and will happen (or even to find that out), if 
users get access to a command line after a profile switch.

It is easy to write a simple command using profile switching; half the code is 
in the manuals. If you have *USE rights to a user profile with higher 
authority, you can swap to that profile without knowing her password. I 
experienced once with this: being a user of class *SECOFR I granted myself the 
*USE right to the QSECOFR profile. Then swap to the QSECOFR profile (without 
entering a password)  and I was the QSECOFR, viewing the DLO folders, as my 
user profile was not registered in the DIR.

Perhaps I should put the code on the list.

Regards,
Carel Teijgeler

*********** REPLY SEPARATOR  ***********

On 16-7-04 at 9:57 rob@xxxxxxxxx wrote:

>At one time IBM decided that using adopted authority should not work in 
>certain situations, like creating certain group profiles, etc.  >Perhaps they 
>thought this was a security enhancement.Then they allowed a workaround with 
>profile switching.
>
>So then, does this not allowing adopted authority in these situations now go 
>into the realm of 'security by obscurity' and should they >just open these up 
>to adopted authority?  Or do you see a value into making people use these 
>api's to do profile switching, - in this >situation - ?
>
>Now, I am not arguing that profile switching may not be useful in some client 
>serving or web based applications.  I am just arguing >about it in the first 
>situations.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.