|
SOOO True Rob, And there are a TON of shops out there that are CLUE LESS to this "backdoor" approach (backdoor in that it is not done via an old style green screen/menu screen deal)... At my last job, we had some consultants in. They came to me (the security) and said that I needed to GRTOBJAUT *ALL to a bunch of libraries and I said no I didn't (politely of course - I thought he was pulling my leg). He went to my boss an "tattled" on me and I was TOLD to do it. I TRIED to make my point that this was NOT the proper way to do it, that they needed to figure out their problems that RIGHT way (and not GRTOBJAUT every time there was a problem) but I lost. This was a number of years back. I did state that this would come back to haunt us and that I would NOT be responsible (although I would have been the one stuck with doing the restores...). That was in the early days of ODBC. Latter on I was SURE to take the steps so secure the IFS as best as I could (with the documented stuff). Flash back to last year and FTP. Get "library" "filename" and BOOM, the file is on my PC in seconds. I showed this to a trusted cohort as proof of what could happen and he was stunned. Yep, TRY to recover from a mistake like *ALLOBJ... Chuck Rob Berendt wrote: > While I think that running at less than level 30 is ridiculous I'd like to >bring > up a point. The way most people implement security, they might as well be >running at level 20. > > Typical scenario: > Several libraries are owned by a group profile, let's use SSA for an example. > All the users have SSA as their group profile, (unless they are using the >other > package on the system to do their accounting). > Therefore all of the users, (at least the SSA users) have *ALL access to all >of > the files owned by SSA. > Security officer says I'm secure. I only allow them to access via menus. > Some user then downloads the file using Client Access. > Another user uses ftp from their PC to get to the data. > Another user, using NT and Client Access, clicks on start, run, and then >types in RMTCMD DLTF library/ECLL01 > Test this with rmtcmd sndmsg 'test' rob > Another user ... > > There are work arounds to limit this. Such as exit point programming. >Another method > is to change all of the green screen programs to adopt the authority of SSA >and change > the users to some other group profile. I've known companies who do this. I >don't know > what they do for the limited grey screen programs they use. > > lbruck@pmigroup.com on 03/30/99 04:32:20 PM > Please respond to MIDRANGE-L@midrange.com@Internet > To: dr2@cssas400.com@Internet, ipacsjj@public.sta.net.cn@Internet > cc: MIDRANGE-L@midrange.com@Internet > > Subject: Re: USRCLS(*USER) = *ALLOBJ....??? > > If your business partner wants you at 20, I'd find a new business partner >that knows something about the AS/400 and security. > > Thank, > > Laurin Bruck > Technical Services > > >>> Don <dr2@cssas400.com> 10:53:17 AM 3/30/99 >>> > > > > If your AS/400 system security level is 10 or 20, the user that > > their USRCLS is *USER has the special authority *ALLOBJ. > > Otherwise, they have not. > > > > Perhaps, but I'm at 30 ! This "business parter" would like for me to be > at 20...but he got over ruled! > > Don in DC > > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: david@midrange.com > +--- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.