Hi Scott,

Can't your scenario be handled by not allowing access to the CHGSYSLIBL
command, nor to WRKSYSVAL, and by securing QSYS? *CURLIB in my experience
comes after the system portion of the library list, as do product libraries
and user libraries. If the untrusted user cannot change the library list of
QSECOFR's job, it's unlikely they'd be able to have QSECOFR run their
version of CRTPF (or any other system command).

Regards,
Peter Dow
Dow Software Services, Inc.
909 425-0194 voice
909 425-0196 fax


----- Original Message -----
From: "Scott Klement" <klemscot@klements.com>
To: <MIDRANGE-L@midrange.com>
Sent: Thursday, January 25, 2001 11:36 AM
Subject: Re: your mail


>
> IMHO, hardcoding QSYS is a GOOD thing.
>
> An "ordinary user" on your system might be able to create his own version
> of CRTPF on your system, and put it somewhere high in the library list (or
> even in *CURLIB).   Lets say he made a version of CRTPF that simply ran a
> CL program that gave him *ALLOBJ authority, and then ran the normal CRTPF.
>
> When a QSECOFR or other *ALLOBJ account does a CRTPF, the untrustworthy
> user has just given himself *ALLOBJ authority.
>
> Remember that IBM sells AS/400's to people in many situations.  Some of
> them are running timeshare services where complete strangers are given
> accounts.   Or people from other companies...   or other "untrusted"
> people.
>
>
> On Thu, 25 Jan 2001, Maarten Vries, de wrote:
>
> > Hi
> >
> > In our enviroment the QSYS/CRTPF has public *exclude and higher in the
> > librarylist another command with CRTPF has public *use.
> >
> > When we use FTP and issue a get and the file is not there the program
> > creates a PF, however it is trying to use the QSYS/CRTPF instead of the
> > other CRTPF that is higher in the system library list.
> > Can anyone tell me why IBM has chosen to hardcode the QSYS/CRTPF instead
of
> > *LIBL/QSYS?
> >
> > Maarten
> >
>
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
david@midrange.com
> +---

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.