|
midrange.com
Making sure *PUBLIC (and any evil programmers' :-) ) have only *USE
access to QHLPSYS & QUSRSYS should suffice, instead of moving them to
the bottom of your library list (ie. prevent someone putting stuff in
there in the first place, then you don't need to worry about an
alternate version of a program being run from there). This is
especially important if your system is pre V3R2 (CISC) or pre V3R7
(RISC).
And if you come back and say your programmers have *ALLOBJ authority
which would allow them access to make changes in QUSRSYS & QHLPSYS, then
you really have no security to worry about compromising do you ? :-)
The "user" information in QUSRSYS are things like:
System Directory Entries
Distribution Lists
Personal Directories
OV/400 files (registration, calendars, nicknames, supplemental spelling
dictionaries etc.)
Files that contain the 'indexes' into the Folders/Documents in the QDOC
library
(which is why it helps to ALWAYS do a SAVLIB QUSRSYS at the same
time as
a SAVDLO *ALL - it could save you time if you need to restore
it all).
SNADS Distribution Queues
TCP/IP configurations (Host tables, SMTP, POP, HTTP, LPD etc. configs)
IPX configurations
Server storage configuration
Journals & Journal Receivers
Output Queues created by auto-config when a printer device is created
Message queues created for user profiles
System Job Scheduler
Data areas used by IBM products
Data areas for ECS & TIE phone numbers
Data areas with user options for certain PTF's
Files used by Facsimile Support/400 & other IBM products
Data from RTVDSKINF
Data from running the Upgrade Assistant (CISC to RISC)
Other 'user' specific info on the system
Basically all user data contained in IBM supplied files. You shouldn't
be using QSUSRSYS to store your own programs and files. (Leave that to
QGPL - the QGarbagePailLibrary).
... Neil Palmer AS/400~~~~~
... NxTrend Technology - Canada ____________ ___ ~
... Thornhill, Ontario, Canada |OOOOOOOOOO| ________ o|__||=
... Phone: (905) 731-9000 x238 |__________|_|______|_|______)
... Cell.: (416) 565-1682 x238 oo oo oo oo OOOo=o\
... Fax: (905) 731-9202 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
... mailto:NPalmer@NxTrend.com http://www.NxTrend.com
-----Original Message-----
From: John Earl [SMTP:johnearl@lns400.com]
Sent: Thursday, December 11, 1997 1:23 AM
To: MIDRANGE-L@midrange.com
Subject: Re: Library List.
At 09:39 PM 12/9/97 -0500, you wrote:
>"...for security reasons..."????? What security concerns would
have you move
>these 2 system libraries to the bottom of the user list?
>
Walden,
For starters, prior to V3R7 both libraries came shipped with
*PUBLIC
authority *CHANGE, which means that a body could add a program
to this
library that would get invoked instead of some legitimate
program. This can
be a security exposure when you have any sort of security rules
enforced by
a program (which is common). A classic example would be the
joe-programmer
that puts a near replica of the payroll program in QUSRSYS, with
a minor
modification that enriches the programmer in some way. When
Jane-payroll-clerk runs payroll, he calls joe-programmer's bogus
version (by
virtue of it's place in the library list) and perfoms the dirty
deed under
her own profile. There are even simpler and more damaging
versions of this
hack, but you get the idea. Hacks like this can be difficult to
detect.
I've worked at a couple of banks where all ad-hoc manipulations
of the
library list were prohibited. No ADDLIBLE, no CHGLIBLE, no
CHGJOBD, etc.
Any program that had the ability to manipulate the library list
was
scrutinized intensly.
It's kind of a new concept to those of us who grew up using and
loving
library lists, but it is a fact of AS/400 security.
jte
>-Walden
>-----Original Message-----
>From: MCPARTLAND, Stan <stanley.mcpartland@bently.com>
>To: 'MIDRANGE-L@midrange.com' <MIDRANGE-L@midrange.com>
>Date: Tuesday, December 09, 1997 3:26 PM
>Subject: RE: Library List.
>
>
>>If my memory serves me right, QUSRSYS and QHLPSYS first showed
up in
>>1988 on the AS/400. They were not present on the S/38. We
have moved
>>both libraries to the bottom of the user portion of the
library list
>>for security reasons. Some third party software has
difficulties with
>>this, especially in the installation routines. They replace
the user
>>portion of the library list and assume that QUSRSYS and
QHLPSYS are in
>>the system portion of the library list. As long as you are
aware of
>>this and investigate before running the installation you
should not
>>have any problems.
>>
>>Regards,
>>Stan
>>------------------------------------------
>>Stanley A. McPartland
>>Bently Nevada Corporation
>>1617 Water St; Minden, NV 89423 USA
>>Voice: (702) 782-9339 Fax: (702) 782-1382
>>E-mail: stanley.mcpartland@bently.com
>>------------------------------------------
--
John Earl Lighthouse Software Inc.
8514 71st NW Gig Harbor, WA 98335
253-858-7388 johnearl@lns400.com
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
