My understanding is that it STILL will run under the authority of the userID in the connection. So, yeah, if you had an app that routinely used QSECOFR to connect, this would be a gaping security hole. But, we use a user ID with minimal authority and the program that is called has *OWNER authority and that owner has access to the DB and not much else.

Exit programs can also control behavior of submitted CL calls and stored procedures.

Pete Helgren


Rich Duzenbury wrote:

On Mon, 2006-01-09 at 08:39 -0800, Coy Krill wrote:
Here is the SQL code you can execute either via JDBC or directly on the
iseries. I've never tried calling QCMDEXC  and was definitely under the
impression that a wrapper such as this is necessary. I believe this is close
to nearly identical to something published in one of the iSeries reference
manuals or a redbook. Change WIBRUN to be whatever library you want to
create the stored procedure in.

-- Allows Execution of CL Commands from SQL
CREATE PROCEDURE WIBRUN.CMDEXC(CMD CHAR(32000), LEN DECIMAL(15, 5))
LANGUAGE CL
NOT DETERMINISTIC
NO SQL
EXTERNAL NAME QSYS.QCMDEXC
PARAMETER STYLE GENERAL;

Hmm.  'SQL allows remote command execution' sounds suspiciously like
something we would normally read about on the CERT web site.  This is a
feature?
What has to be done to turn it off?

Regards,
Rich


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.