RE: Subsystem ODP exploit (was setsppfp bug)

["Jose Luis Calvo" <jlcalvo@xxxxxxxxxxxxx>]

Could seclvl 40 be enough?

----- Original Message -----
From: Phil Hall <hallp@ssax.com>
To: <MI400@midrange.com>
Sent: Friday, June 09, 2000 4:04 PM
Subject: Subsystem ODP exploit (was setsppfp bug)


>
> [ FYI:I've changed the thread subject, because it isn't a bug in
setsppfp()
> but a issue with the ODP of the subsytem object. ]
>
> Dan,
>
> > Since the startup program can be secured, would this be a good interim
> step
> > until (if?) IBM fixes this bug?  Would you be willing to publish this
> > "eraser"?
>
> Now that this topic has reached a peak here's a simple no-code fix for
this
> that exists on every machine.
>
> Move to seclvl 50.
>
> To continue running the program @seclvl 50, the programs state needs to be
> changed to *SYSTEM. Although changing the state of programs is trivial, it
> does (unless the state changing is done properly) flag the object as
> modified and the command CHKOBJITG will find it.
>
> Running CHKOBJITG and also running queries on objects to find new ones
> running system state is already part of you security policies isn't it ;-)
>
> --phil
>
> +---
> | This is the MI Programmers Mailing List!
> | To submit a new message, send your mail to MI400@midrange.com.
> | To subscribe to this list send email to MI400-SUB@midrange.com.
> | To unsubscribe from this list send email to MI400-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
dr2@cssas400.com
> +---
>

+---
| This is the MI Programmers Mailing List!
| To submit a new message, send your mail to MI400@midrange.com.
| To subscribe to this list send email to MI400-SUB@midrange.com.
| To unsubscribe from this list send email to MI400-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: dr2@cssas400.com
+---