× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. SECURITY400
  3. September 2006

Re: Commands for Limited Users

Well, isn't THAT special. We just went through a change making all
programs that are submitted to adopt the owner's authority. So far so
good. However, what is not so good is the "outdated" comment. 

Could you go into a little bit of detail about what you have done to not
need adoption. I'm would like to picture what kind of effort would be
required to accomplish what it is you are talking about. 

-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of David Morris
Sent: Thursday, September 07, 2006 12:30 PM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Commands for Limited Users

Phil,

Adopted authority is nearly as outdated as limited capability. It
doesn't work well with triggers or IFS files and is incompletely
implemented. Adoption is ineffective in exits but based on your message
you may have overcome some of the limitations I have run up against. The
biggest reason to avoid adoption is that it is often implemented
incorrectly and is frequently the source of serious security problems. 

A few years back, I started using a technique that gives similar
function by swapping in or setting effective groups and supplemental
groups. 

--David Morris 

-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Phil Ashe
Sent: Thursday, September 07, 2006 10:09 AM
To: Security Administration on the AS400 / iSeries
Subject: Re: [Security400] Commands for Limited Users

John:

...I have three basic problems with LMTCPB and commands. 
1) It's obsolete in that it hasn't been updated to check commands in
newer interfaces. [limited scope]
2) It's checked after the user has already been determined to have
object authority to the command.
3) It's difficult to find the LMTCPB "violations". They aren't placed in
the system audit journal. [more obsolescence]

...I would use adopted authority for access through the expected
application interfaces and use proxy commands to limit the use of EDTF
or DFU to well-defined views of the data, then take away the data rights
to the file. The object authority is still checked on the remote server
interfaces. If you need access to the file from one or more remote
servers, you can use exit programs to give you this authority...

Phil Ashe

_______________________________________________
This is the Security Administration on the AS400 / iSeries (Security400)
mailing list To post a message email: Security400@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at
http://archive.midrange.com/security400.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.