|
midrange.com
If you read the IBM security reference manual, there are ways to capture this
(plus other) information, already available at NO cost (except development
time).
>>> <rob@dekko.com> 07/26/01 01:05PM >>>
Chris,
<snip> QSECOFR should be generating a report on objects with *owner
authority and an eye should be kept on how
they work.
<endsnip>
Many of the security tools will do some of this work for you. - report on
objects with *owner authority. An example is PentaSafe. How they work,
may be a separate issue.
Rob Berendt
==================
A smart person learns from their mistakes,
but a wise person learns from OTHER peoples mistakes.
"Chris Rehm"
<javadisciple@eart To: <RPG400-L@midrange.com>
hlink.net> cc:
Sent by: Subject: Re: Programing
Question/Authority...
owner-rpg400-l@mid
range.com
07/26/2001 10:19
AM
Please respond to
RPG400-L
Well, worse than that, really.
I remember wanting to make additional tools available to myself at one
shop.
So, I modified a program which was called by a *owner authorized program to
grant me authorities. This was a long time ago and I don't really recall
how
it worked out, but I remember feeling that the use of *owner authority
could
really be dangerous.
Now, I don't recall actually doing this but I recall thinking it out. We
had
a simple command line program (accept a line and QCMDEXC) for use by
programmers when working on menus which didn't offer command lines to
users.
I could simply modify a menu option used by someone with the authority I
was
after so that it would launch a compile to create a version of our cmdline
clp using *owner authority. Then later when I wanted to access stuff, I
could simply use that version of the program.
Now, I have seen a couple of places where using *owner authority worked out
and I know that it has great application, but I do think that it is one of
the things that should be audited closely. QSECOFR should be generating a
report on objects with *owner authority and an eye should be kept on how
they work.
Chris Rehm
javadisciple@earthlink.net
If you believe that the best technology wins the
marketplace, you haven't been paying attention.
----- Original Message -----
From: "Boykie" <Midrange@KMTCINC.NET>
To: <RPG400-L@midrange.com>
Sent: Thursday, July 26, 2001 7:35 AM
Subject: Re: Programing Question/Authority...
> Or,
>
> opening up the door for a rogue programmer who thinks standards are for
> everyone else,,
>
> At 10:00 AM 7/26/2001, you wrote:
> >alan shore wrote:
> >
> ><Be careful which of the jobs adopt owner authority. It should only be
the
> >job that needs it. Any job submitted from this job will also adopt that
> >owners authority.>
> >
> >VERY good point Alan, because that could open up the door for rogue
stuff
> >if a programmer was unaware of that !
> >
> >Chuck
> >
> > >
> > > >>> "Phil" <sublime78ska@yahoo.com> 07/25/01 06:13PM >>>
> > > If it is submitted to batch, use adopted authority *OWNER on the pgm
> > that is
> > > submitted.
> > >
> > > The batch job will then have the authority of the object owner.
> > >
> > > Phil
> > >
> > > > -----Original Message-----
> > > > From: owner-rpg400-l@midrange.com
[mailto:owner-rpg400-l@midrange.com]On
> > > > Behalf Of Chuck Lewis
> > > > Sent: Wednesday, July 25, 2001 5:16 PM
> > > > To: RPG400-L
> > > > Subject: Programing Question/Authority...
> > > >
> > > >
> > > > Hi Folks,
> > > >
> > > > Don't do this enough and can't for the LIFE of me figure it out...
> > > >
> > > > We are using 3rd party software and we can define "Fast Paths" that
let
> > > > user run programs we write outside of the 3rd party suite.
> > > >
> > > > I have written simple little RPG program that they call that
prompts
the
> > > > user for a date and then submits a CL to run the report. Initially
I
was
> > > > getting an error because the user is not authorized to the Submit
> > > > command. I fixed this with a Job Description. This second CL
creates
a
> > > > LF in QTEMP and then runs an RPG program to produce a listing. Well
now
> > > > they can't create the LF because the submitted job is running under
the
> > > > User Profile which does not have authority to do that.
> > > >
> > > > Is there an easy solution to this ? I've been buried in it now
(along
> > > > with juggling a BUNCH of other stuff) and have some ideas but
wanted
to
> > > > avoid reinvent the wheel !
> > > >
> > > > Thanks,
> > > >
> > > > Chuck
+---
| This is the RPG/400 Mailing List!
| To submit a new message, send your mail to RPG400-L@midrange.com.
| To subscribe to this list send email to RPG400-L-SUB@midrange.com.
| To unsubscribe from this list send email to RPG400-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator:
david@midrange.com
+---
+---
| This is the RPG/400 Mailing List!
| To submit a new message, send your mail to RPG400-L@midrange.com.
| To subscribe to this list send email to RPG400-L-SUB@midrange.com.
| To unsubscribe from this list send email to RPG400-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---
+---
| This is the RPG/400 Mailing List!
| To submit a new message, send your mail to RPG400-L@midrange.com.
| To subscribe to this list send email to RPG400-L-SUB@midrange.com.
| To unsubscribe from this list send email to RPG400-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
