MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » January 2014

System value - Share Memory Control (QSHRMEMCTL)



fixed

Security audit is requesting we change this from 1 (share) to 0 (cannot share).
Has anyone dealt with this, notice any performance hits when setting to 0.
The Share Memory Control (QSHRMEMCTL) system value defines which users are allowed to use shared memory or mapped memory that has write capability.
Your environment may contain applications, each running different jobs, but sharing pointers within these applications. Using these APIs provides for better application performance and streamlines the application development by allowing shared memory and stream files among these different applications and jobs. However, use of these APIs might potentially pose a risk to your system and assets. A programmer can have write access and can add, change, and delete entries in the shared memory or stream file.
To change this system value, users must have *ALLOBJ and *SECADM special authorities. A change to this system value takes effect immediately.
Note: This system value is a restricted value. See Security system values<http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/rzarl/rzarlsysval.htm#rzarlsysval> for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 1. Possible values for the QSHRMEMCTL system value:

0

Users cannot use shared memory, or use mapped memory that has write capability.
This value means that users cannot use shared-memory APIs (for example, shmat() - Shared Memory Attach API), and cannot use mapped memory objects that have write capability (for example, mmap() - Memory Map a File API provides this function).
Use this value in environments with higher security requirements.

1

Users can use shared memory or mapped memory that has write capability.
This value means that users can use shared-memory APIs (for example, shmat() - Shared Memory Attach API), and can use mapped memory objects that have write capability (for example, mmap() - Memory Map a File API provides this function).



Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx<mailto:psteinmetz@xxxxxxxxxx>
http://www.pencor.com/






Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact