• Subject: RE: Changing user profiles without *SECADM; adding *SECADM without ev en having *SECADM
  • From: "Gary Monnier" <garymon@xxxxxxxxxxxxxxx>
  • Date: Fri, 26 Jan 2001 13:01:20 -0800
  • Importance: Normal

Next steps are to

1. Determine why program EX400C requires adopting AMAPICS authority.
2. Determine what authorities user profile AMAPICS has
3. Does AMAPICS really need that much authority.

--
Gary Monnier               garymon@400security.com
The PowerTech Group        253.872.7788
PowerLock Network Security www.400security.com


-----Original Message-----
From: owner-midrange-l@midrange.com
[mailto:owner-midrange-l@midrange.com]On Behalf Of Burns, Bryan
Sent: Friday, January 26, 2001 12:07 PM
To: MIDRANGE-L@midrange.com
Subject: RE: Changing user profiles without *SECADM; adding *SECADM
without ev en having *SECADM


Removing command line access is not an option.
We are at QSECURITY level 30.
Here are most profile attributes and a DSPPGM of the initial menu.



User profile . . . . . . . . . . > JILLH
 User password  . . . . . . . . .   *SAME
 Set password to expired  . . . .   *NO
 Status . . . . . . . . . . . . .   *ENABLED
 User class . . . . . . . . . . .   *USER
 Assistance level . . . . . . . .   *SYSVAL
 Current library  . . . . . . . .   *CRTDFT
 Initial program to call  . . . .   EX400C
   Library  . . . . . . . . . . .     ECALIB
 Initial menu . . . . . . . . . .   *SIGNOFF
   Library  . . . . . . . . . . .
 Limit capabilities . . . . . . .   *PARTIAL

    Special authority  . . . . . . .   *NONE
                + for more values
 Special environment  . . . . . .   *NONE
 Display sign-on information  . .   *YES
 Password expiration interval . .   *SYSVAL
 Limit device sessions  . . . . .   *NO
 Keyboard buffering . . . . . . .   *SYSVAL
 Maximum allowed storage  . . . .   *NOMAX
 Highest schedule priority  . . .   3
 Job description  . . . . . . . .   QDFTJOBD
   Library  . . . . . . . . . . .     QGPL
 Group profile  . . . . . . . . .   *NONE
 Owner  . . . . . . . . . . . . .   *USRPRF

Group authority  . . . . . . . .   *NONE
 Group authority type . . . . . .   *PRIVATE
 Supplemental groups  . . . . . .   *NONE
                + for more values
 Accounting code  . . . . . . . .   *BLANK
 Document password  . . . . . . .   *SAME
 Message queue  . . . . . . . . .   JILLH
   Library  . . . . . . . . . . .     QUSRSYS
 Delivery . . . . . . . . . . . .   *NOTIFY
 Severity code filter . . . . . .   0
 Print device . . . . . . . . . .   PRTP0
 Output queue . . . . . . . . . .   *WRKSTN
   Library  . . . . . . . . . . .
 Attention program  . . . . . . .   *NONE
   Library  . . . . . . . . . . .





Program  . . . . . . . :   EX400C        Library  . . . . . . . :   ECALIB

 Owner  . . . . . . . . :   AMAPICS

 Program attribute  . . :   CLP



 Program creation information:

   Program creation date/time . . . . . . . . . . . :   10/03/96  10:00:16

   Type of program  . . . . . . . . . . . . . . . . :   OPM

   Source file  . . . . . . . . . . . . . . . . . . :   SOURCE

     Library  . . . . . . . . . . . . . . . . . . . :     ECALIB

   Source member  . . . . . . . . . . . . . . . . . :   EX400C

   Source file change date/time . . . . . . . . . . :   10/03/96  09:59:36

   Observable information . . . . . . . . . . . . . :   *ALL

   User profile . . . . . . . . . . . . . . . . . . :   *OWNER

   Use adopted authority  . . . . . . . . . . . . . :   *YES

   Log commands (CL program)  . . . . . . . . . . . :   *JOB

   Allow RTVCLSRC (CL program)  . . . . . . . . . . :   *YES

   Fix decimal data . . . . . . . . . . . . . . . . :   *NO



Bryan Burns
Echo, Inc.
Lake Zurich, IL
Burnsbm@echoincorporated.com

        -----Original Message-----
        From:   fiona.fitzgerald@notes.royalsun.com
[SMTP:fiona.fitzgerald@notes.royalsun.com]
        Sent:   Friday, January 26, 2001 11:09 AM
        To:     MIDRANGE-L@midrange.com
        Subject:        Re: Changing user profiles without *SECADM; adding
*SECADM without ev en having *SECADM


        Bryan,
             If the user doesn't need a command line, you could change their
        profile to LMTCPB(*YES), which will prevent them from invoking a
command
        line.
        Might the initial object be owned by a profile with *SECADM
authority ?
        They might be inheriting authority from it ? Do they have an initial
pgm
        or an initial menu ? I'd like to see all the usrprf attributes.

        By the way, what security level are you at ? (DSPSYSVAL QSECURITY).

        Fiona Fitzgerald,
        Dublin


        Bryan Burns wrote:

        We have a user profile with special authority *NONE that can do a
CHGUSRPRF
        and add *SECADM special authority to another profile.  This is done
from a
        command line on the initial menu.  This initial menu has three
options:
        EXECUTE OFFICE, EXECUTE MAPICS, and SIGN OFF.

        How is this possible?  We are on V4R4 and at cume level CO252440.

        The profile in question has USER CLASS *USER, GROUP PROFILE *NONE,
OWNER
        *USRPRFand LIMIT CAPABILITIES *PARTIAL.

        I think this may be due to adopted authority, but I am not a
programmer and
        I have dug as far as I can into this.  Can someone shed some light
on this?


        +---
        | This is the Midrange System Mailing List!
        | To submit a new message, send your mail to
MIDRANGE-L@midrange.com.
        | To subscribe to this list send email to
MIDRANGE-L-SUB@midrange.com.
        | To unsubscribe from this list send email to
MIDRANGE-L-UNSUB@midrange.com.
        | Questions should be directed to the list owner/operator:
david@midrange.com
        +---
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator:
david@midrange.com
+---

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].