MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » August 2014

RE: Another heads up on a restore



fixed

Rob,

RSTOBJ on my LPARS is public *exclude.
Shouldn't public stay at *exclude for security reasons.
I also check my new base guest LPAR.

Object . . . . . . . : RSTOBJ Owner . . . . . . . : QSYS
Library . . . . . : QSYS Primary group . . . : *NONE
Object type . . . . : *CMD ASP device . . . . . : *SYSBAS

Object secured by authorization list . . . . . . . . . . . . : *NONE

Object
User Group Authority
*PUBLIC *EXCLUDE
QSYS *ALL
*GROUP QPGMR *ALL
QOTHPRDOWN *USE
RBAGRPPRF *USE

Object . . . . . . . : RSTOBJ Owner . . . . . . . : QSYS
Library . . . . . : QSYS Primary group . . . : *NONE
Object type . . . . : *CMD ASP device . . . . . : *SYSBAS

Object secured by authorization list . . . . . . . . . . . . : *NONE

Object
User Group Authority
*PUBLIC *EXCLUDE
QSYS *ALL

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
Sent: Tuesday, August 12, 2014 2:24 PM
To: Midrange Systems Technical Discussion
Subject: Re: Another heads up on a restore

I opened up a PMR about RSTOBJ. IBM confessed. There is a program which changes a bunch of objects and it will do so regardless of you restoring from IBM media or restoring from media performed from a save of your system. The security on RSTOBJ is definitely one of those objects.
Frankly I suspected this had to be the case.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: rob@xxxxxxxxx
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 08/12/2014 11:48 AM
Subject: Re: Another heads up on a restore
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



And it's not just getting the authorization lists right.
I had to rerun this:
GRTOBJAUT OBJ(RSTOBJ) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*USE)

To me this sounds like IBM has had to make a deliberate attempt to change
the authority of that command to some IBM suggested default. It wasn't
like the other stuff where there was some sync issue between authorization

lists not being there or some such thing.
And it's also not like all commands got changed to *PUBLIC *EXCLUDE.
I think I'll open this one as a separate ticket.


Rob Berendt





Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact