× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Forgive me if I'm wrong here, wouldn't be the first time, but
I thought the following applied, at least at security level 40...

For the purposes of this discussion of special authorities, QSECURITY
level 40 has little or no bearing.


You need at least *SECADM authority to change a user profile,
*ALLOBJ is not enough.

True. To the best of my knowledge, it has always been this way.

You can't submit a job as QSECOFR even if you do have
*ALLOBJ.
Hmm - I'm not sure if that is true - and I'm on an airplane now so I
can't test. But even if it is true, I know that you can use the profile
swap API's to become QSECOFR if you have at least *USE authority to
QSECOFR, and I believe that a user with *ALLOBJ can ADDJOBSCDE for the
user QSECOFR, so there are a number of ways to skin that cat.

jte

--

John Earl, VP and Chief Technology Officer
PowerTech: 253-872-7788
Direct: 253-479-1408
Mobile: 206-669-3336
John.Earl@xxxxxxxxxxxxx




Email is an excellent way to communicate material that is not time
sensitive. If your communication is of a more urgent nature, please
call.

===========================
This email message and any attachments are intended only for the use of
the intended recipient named above and may contain information that is
privileged and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message or by telephone and delete the
message from your email system. Thank you.


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Crispin Bates
Sent: Wednesday, April 02, 2008 7:54 AM
To: Midrange Systems Technical Discussion
Subject: Re: Anti-virus for i5OS

Forgive me if I'm wrong here, wouldn't be the first time, but
I thought the following applied, at least at security level 40...

You need at least *SECADM authority to change a user profile,
*ALLOBJ is not enough.

Message ID . . . . . . : CPF2292
Date sent . . . . . . : 04/02/08 Time sent . . . . .
. : 10:44:32

Message . . . . : *SECADM required to create or change user
profiles.

Special authority (SPCAUT) - Help

o The user profile creating or changing another user
profile must have all of the special authorities being
given. All special authorities are needed to give all
special authorities to another user profile.

o A user must have *ALLOBJ and *SECADM special
authorities to give a user *SECADM special authority
when using the CHGUSRPRF command.

o The user must have *ALLOBJ, *SECADM, and *AUDIT
special authorities to give a user *AUDIT special
authority when using the CHGUSRPRF command.

You can't submit a job as QSECOFR even if you do have
*ALLOBJ. What you can do is submit a job as another user who
has *SECADM, or *SECOFR, but that's an entirely different discussion.



Sorry, but a user with *ALLOBJ can give themselves *AUDIT,
*IOSYSCFG,
*JOBCTL, *SAVSYS, *SECADM and *SPLCTL. From "Expert's
Guide to OS/400
and i5/OS Security", page 67:

"For example, *ALLOBJ special authority gives a user
unlimited access
to and control over ALL objects-a user with *ALLOBJ special
authority
can perform any function on any object on your system."

There is only a one step difference between a user with *ALLOBJ and
QSECOFR, that of the user with *ALLOBJ going into their own profile
and granting themselves the missing options. You can lock both
*ALLOBJ users and QSECOFR out of certain sysvals by pushing
them up to
SST level maintenance, but if you've given a user *ALLOBJ
you might as
well have made them QSECOFR.

Do you want your new software package to adjust your
auditing level,
create a PPP connection and add a job schedule entry that
calls home
and reports **anything it wants** from your system? ABC Corp may
have just used "social engineering" to get you to install
your very
own iSeries virus!

A totally false question. Who is going to say yes? The
point is that
merely changing the user id used for installation from
QSECOFR to one
with *ALLOBJ hasn't fixed anything. I can do anything with *ALLOBJ
that I can do with QSECOFR. The user with *ALLOBJ has full
rights to
the QSECOFR profile. If he doesn't, he can just grant
himself those rights.

As hinted at above, you can push auditing values to SST
level, so that
even QSECOFR can't change them. The point remains, *ALLOBJ is
essentially no different from QSECOFR..........


--
This is the Midrange Systems Technical Discussion
(MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting,
please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.




--
This is the Midrange Systems Technical Discussion
(MIDRANGE-L) mailing list To post a message email:
MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change
list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting,
please take a moment to review the archives at
http://archive.midrange.com/midrange-l.




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.