Hi Scott, Can't your scenario be handled by not allowing access to the CHGSYSLIBL command, nor to WRKSYSVAL, and by securing QSYS? *CURLIB in my experience comes after the system portion of the library list, as do product libraries and user libraries. If the untrusted user cannot change the library list of QSECOFR's job, it's unlikely they'd be able to have QSECOFR run their version of CRTPF (or any other system command). Regards, Peter Dow Dow Software Services, Inc. 909 425-0194 voice 909 425-0196 fax ----- Original Message ----- From: "Scott Klement" <firstname.lastname@example.org> To: <MIDRANGE-L@midrange.com> Sent: Thursday, January 25, 2001 11:36 AM Subject: Re: your mail > > IMHO, hardcoding QSYS is a GOOD thing. > > An "ordinary user" on your system might be able to create his own version > of CRTPF on your system, and put it somewhere high in the library list (or > even in *CURLIB). Lets say he made a version of CRTPF that simply ran a > CL program that gave him *ALLOBJ authority, and then ran the normal CRTPF. > > When a QSECOFR or other *ALLOBJ account does a CRTPF, the untrustworthy > user has just given himself *ALLOBJ authority. > > Remember that IBM sells AS/400's to people in many situations. Some of > them are running timeshare services where complete strangers are given > accounts. Or people from other companies... or other "untrusted" > people. > > > On Thu, 25 Jan 2001, Maarten Vries, de wrote: > > > Hi > > > > In our enviroment the QSYS/CRTPF has public *exclude and higher in the > > librarylist another command with CRTPF has public *use. > > > > When we use FTP and issue a get and the file is not there the program > > creates a PF, however it is trying to use the QSYS/CRTPF instead of the > > other CRTPF that is higher in the system library list. > > Can anyone tell me why IBM has chosen to hardcode the QSYS/CRTPF instead of > > *LIBL/QSYS? > > > > Maarten > > > > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: email@example.com > +--- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: firstname.lastname@example.org +---
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.