RE: DMPSYSOBJ, SETSPFP, etc. -- MIDRANGE-L

Does this apply to the ebusiness world in particular, or if someone actually
gains access to your macine?

Brad

> -----Original Message-----
> From: John Earl [mailto:johnearl@400security.com]
> Sent: Thursday, June 15, 2000 7:04 PM
> To: MIDRANGE-L@midrange.com
> Subject: Re: DMPSYSOBJ, SETSPFP, etc.
> 
> 
> Brad,
> 
> As Steve Glanstein mentioned, at level 30 it is possible 
> (some say easy) to
> acquire QSECOFR authority through the use (mis-use really) of 
> pointers.  It used
> to be that you had to use MI or C to do this, but Steve's 
> post reminds me that
> RPG ILE can do this as well (See Brad, you're right, RPG can 
> do it all! :).
> 
> There is also the issue of user profiles attached to Jobd's.  
> At QSECURITY level
> 30 a user needs *USE authority to a JOBD and does not require 
> any authority to
> the profile that is attached to it
> At QSECURITY level 40, the user must have *USE to the JOBD 
> and *USE to the
> profile.   If you do a quick look at your system, you'll see 
> several JOBD's with
> at least QPGMR attached.   You'll also likely find a number 
> of vendor JOBD's with
> powerfull profiles attached.  I know of a utility package 
> that ships with QSECOFR
> and QSYS (among others) attached to profiles.
> 
> There is also the very real risk of someone restoring a JOBD 
> (with powerful
> profile attached) to your system.  With cheap AS/400's 
> available (I bought a B10
> for a buck once), it's a very real possibility.
> 
> Any exposure where someone can assume the identity of a super 
> user should be
> treated as extremely dangerous.  I've said it before, but an 
> *ALLOBJ user can not
> be stopped from doing anything on your system.  Level 30 
> Security provides ways
> for someone with a little knowledge (the ability to read a 
> web-site) the ability
> to auquire *ALLOBJ authority.
> 
> jte
> 
> 
> "Stone, Brad V (TC)" wrote:
> 
> > > Do not ignore this post.  Pay close attention.  Level 30 
> is completely
> > > inadequate for AS/400 security.  If you're at Level 30, don't
> > > indulge yourself
> > > in the smugness of "Object Level" security, it just isn't
> > > adequate for an
> > > e-business world.
> > >
> >
> > John,
> >
> > Would you mind expaning?  I'd like to know more because if 
> you have object
> > level security, HTTP configs and decent TCPIP exit programs 
> (maybe not even
> > these), you're covered.
> >
> > Specific examples if you have.  I'm not looking for "if 
> everyone has *ALLOBJ
> > athority and your HTTP directive is Pass /*" you're in 
> trouble.   Maybe what
> > is it in ebusiness that 40 or 50 will handle that 30 won't 
> if object level
> > security is set up in each case.
> >
> > Brad
> > +---
> > | This is the Midrange System Mailing List!
> > | To submit a new message, send your mail to 
> MIDRANGE-L@midrange.com.
> > | To subscribe to this list send email to 
> MIDRANGE-L-SUB@midrange.com.
> > | To unsubscribe from this list send email to 
> MIDRANGE-L-UNSUB@midrange.com.
> > | Questions should be directed to the list owner/operator: 
> david@midrange.com
> > +---
> 
> --
> John Earl                               johnearl@400security.com
> The PowerTech Group                     206-575-0711
> PowerLock Network Security              www.400security.com
> --
> 
> 
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to 
> MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator: 
> david@midrange.com
> +---
> 
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---