|
Brad, As Steve Glanstein mentioned, at level 30 it is possible (some say easy) to acquire QSECOFR authority through the use (mis-use really) of pointers. It used to be that you had to use MI or C to do this, but Steve's post reminds me that RPG ILE can do this as well (See Brad, you're right, RPG can do it all! :). There is also the issue of user profiles attached to Jobd's. At QSECURITY level 30 a user needs *USE authority to a JOBD and does not require any authority to the profile that is attached to it At QSECURITY level 40, the user must have *USE to the JOBD and *USE to the profile. If you do a quick look at your system, you'll see several JOBD's with at least QPGMR attached. You'll also likely find a number of vendor JOBD's with powerfull profiles attached. I know of a utility package that ships with QSECOFR and QSYS (among others) attached to profiles. There is also the very real risk of someone restoring a JOBD (with powerful profile attached) to your system. With cheap AS/400's available (I bought a B10 for a buck once), it's a very real possibility. Any exposure where someone can assume the identity of a super user should be treated as extremely dangerous. I've said it before, but an *ALLOBJ user can not be stopped from doing anything on your system. Level 30 Security provides ways for someone with a little knowledge (the ability to read a web-site) the ability to auquire *ALLOBJ authority. jte "Stone, Brad V (TC)" wrote: > > Do not ignore this post. Pay close attention. Level 30 is completely > > inadequate for AS/400 security. If you're at Level 30, don't > > indulge yourself > > in the smugness of "Object Level" security, it just isn't > > adequate for an > > e-business world. > > > > John, > > Would you mind expaning? I'd like to know more because if you have object > level security, HTTP configs and decent TCPIP exit programs (maybe not even > these), you're covered. > > Specific examples if you have. I'm not looking for "if everyone has *ALLOBJ > athority and your HTTP directive is Pass /*" you're in trouble. Maybe what > is it in ebusiness that 40 or 50 will handle that 30 won't if object level > security is set up in each case. > > Brad > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: david@midrange.com > +--- -- John Earl johnearl@400security.com The PowerTech Group 206-575-0711 PowerLock Network Security www.400security.com -- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
