|
On Sep 21, 2021, at 12:55 PM, Chris Hird <chrish@xxxxxxxxxxxxxxxxxx> wrote:
The reason is security enforcement. You can use any user to sign onto the IBM I from a remote web request, swapping the profile to the person who signed on ensures that they only have rights that are afforded when signed directly onto the IBM i. Otherwise the profile the job is running under is used for authority and that can either be too little or too much. Profile swapping is very valid for this purpose. Plus it helps with password checking.
Yes you can switch profiles on other platforms (Linux is using the sudo or su command, Windows is by using the ability to use the admin user to run the request etc.)
Chris...
-----Original Message-----
From: C400-L <c400-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Richard Schoen
Sent: September 21, 2021 1:06 PM
To: c400-l@xxxxxxxxxxxxxxxxxx
Subject: Re: [C400-L] User Profile handling in ancient release(s)
What's the reason for switching profiles ?
No other platform does this that I'm aware of.
In general a daemon job or web server/service generally runs under a specific server/daemon user profile and then all work is done under that user.
However on IBMi you can certainly authenticate via the user profile check API, I would not be switching user profiles.
Unless you have a specific reason to do so.
I did this with a product several years back for recreating spool files with the right user and it forced us to store user/password combos in a table. Ugh.
Regards,
Richard Schoen
Web: http://www.richardschoen.net
Email: richard@xxxxxxxxxxxxxxxxx
----------------------------------------------------------------------
message: 1
date: Mon, 20 Sep 2021 19:32:00 +0200
from: Patrik Schindler <poc@xxxxxxxxxx>
subject: [C400-L] User Profile handling in ancient release(s)
Hello,
lately I was following the blog of Cris Hird to learn about "daemon programming". He provides a great example with a main task (testsvr) spawning a worker task (worker) on request.
https://www.shieldadvanced.com/Blog/ibm-i/lets-c-integration-with-security/
For switching the user profile on the fly, he uses functions from qsyphandle.h. These functions aren't available on OS/400 V4R5.
POSIX setuid() doesn't work, because the function isn't referenced in sys/types.h, nor in unistd.h (as it's in Linux).
Does anybody remember how user switching was done two decades ago in OS/400?
:wq! PoC
--
This is the Bare Metal Programming IBM i (AS/400 and iSeries) (C400-L) mailing list To post a message email: C400-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/c400-l
or email: C400-L-request@xxxxxxxxxxxxxxxxxx Before posting, please take a moment to review the archives at https://archive.midrange.com/c400-l.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Bare Metal Programming IBM i (AS/400 and iSeries) (C400-L) mailing list
To post a message email: C400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/c400-l
or email: C400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/c400-l.
Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
