• Subject: Re: MIDRANGE-L Digest V4 #86
  • From: Jim Langston <jimlangston@xxxxxxxxxxxxxxxx>
  • Date: Fri, 26 Jan 2001 13:33:52 -0800
  • Organization: Pacer International

   User profile . . . . . . . . . . . . . . . . . . :   *OWNER

   Use adopted authority  . . . . . . . . . . . . . :   *YES

What do you want to bet that the AMAPICS user profile doesn't have
security officer security?  

1. Why are you using adopted authority on this program?
2. If you must use adopted authority, you are giving that user all the
   access that the owner of the object has.
3. If you must use adopted authority, have it owned by a user with a
   little less security than someone with security officer security.
4. If at all possible, take away the adopted authority on this program,
   and every other one you can.
5. Yes, your security is breached with this.

Regards,

Jim Langston


Date: Fri, 26 Jan 2001 14:06:51 -0600
From: "Burns, Bryan" <burnsbm@echoincorporated.com>
Subject: RE: Changing user profiles without *SECADM; adding *SECADM withou t ev 
en having *SECADM

Removing command line access is not an option.
We are at QSECURITY level 30.
Here are most profile attributes and a DSPPGM of the initial menu.



User profile . . . . . . . . . . > JILLH        
 User password  . . . . . . . . .   *SAME        
 Set password to expired  . . . .   *NO          
 Status . . . . . . . . . . . . .   *ENABLED     
 User class . . . . . . . . . . .   *USER        
 Assistance level . . . . . . . .   *SYSVAL      
 Current library  . . . . . . . .   *CRTDFT      
 Initial program to call  . . . .   EX400C       
   Library  . . . . . . . . . . .     ECALIB     
 Initial menu . . . . . . . . . .   *SIGNOFF     
   Library  . . . . . . . . . . .                
 Limit capabilities . . . . . . .   *PARTIAL

    Special authority  . . . . . . .   *NONE       
                + for more values               
 Special environment  . . . . . .   *NONE       
 Display sign-on information  . .   *YES        
 Password expiration interval . .   *SYSVAL     
 Limit device sessions  . . . . .   *NO         
 Keyboard buffering . . . . . . .   *SYSVAL     
 Maximum allowed storage  . . . .   *NOMAX      
 Highest schedule priority  . . .   3           
 Job description  . . . . . . . .   QDFTJOBD    
   Library  . . . . . . . . . . .     QGPL      
 Group profile  . . . . . . . . .   *NONE       
 Owner  . . . . . . . . . . . . .   *USRPRF 
    
Group authority  . . . . . . . .   *NONE    
 Group authority type . . . . . .   *PRIVATE 
 Supplemental groups  . . . . . .   *NONE    
                + for more values            
 Accounting code  . . . . . . . .   *BLANK   
 Document password  . . . . . . .   *SAME    
 Message queue  . . . . . . . . .   JILLH    
   Library  . . . . . . . . . . .     QUSRSYS
 Delivery . . . . . . . . . . . .   *NOTIFY  
 Severity code filter . . . . . .   0        
 Print device . . . . . . . . . .   PRTP0    
 Output queue . . . . . . . . . .   *WRKSTN  
   Library  . . . . . . . . . . .            
 Attention program  . . . . . . .   *NONE    
   Library  . . . . . . . . . . .





Program  . . . . . . . :   EX400C        Library  . . . . . . . :   ECALIB

 Owner  . . . . . . . . :   AMAPICS

 Program attribute  . . :   CLP

 

 Program creation information:

   Program creation date/time . . . . . . . . . . . :   10/03/96  10:00:16

   Type of program  . . . . . . . . . . . . . . . . :   OPM

   Source file  . . . . . . . . . . . . . . . . . . :   SOURCE

     Library  . . . . . . . . . . . . . . . . . . . :     ECALIB

   Source member  . . . . . . . . . . . . . . . . . :   EX400C

   Source file change date/time . . . . . . . . . . :   10/03/96  09:59:36

   Observable information . . . . . . . . . . . . . :   *ALL

   User profile . . . . . . . . . . . . . . . . . . :   *OWNER

   Use adopted authority  . . . . . . . . . . . . . :   *YES

   Log commands (CL program)  . . . . . . . . . . . :   *JOB

   Allow RTVCLSRC (CL program)  . . . . . . . . . . :   *YES

   Fix decimal data . . . . . . . . . . . . . . . . :   *NO



Bryan Burns
Echo, Inc.
Lake Zurich, IL
Burnsbm@echoincorporated.com   

        -----Original Message-----
        From:   fiona.fitzgerald@notes.royalsun.com
[SMTP:fiona.fitzgerald@notes.royalsun.com]
        Sent:   Friday, January 26, 2001 11:09 AM
        To:     MIDRANGE-L@midrange.com
        Subject:        Re: Changing user profiles without *SECADM; adding
*SECADM without ev en having *SECADM


        Bryan,
             If the user doesn't need a command line, you could change their
        profile to LMTCPB(*YES), which will prevent them from invoking a
command
        line.
        Might the initial object be owned by a profile with *SECADM
authority ?
        They might be inheriting authority from it ? Do they have an initial
pgm
        or an initial menu ? I'd like to see all the usrprf attributes.

        By the way, what security level are you at ? (DSPSYSVAL QSECURITY).

        Fiona Fitzgerald,
        Dublin


        Bryan Burns wrote:

        We have a user profile with special authority *NONE that can do a
CHGUSRPRF
        and add *SECADM special authority to another profile.  This is done
from a
        command line on the initial menu.  This initial menu has three
options:
        EXECUTE OFFICE, EXECUTE MAPICS, and SIGN OFF.

        How is this possible?  We are on V4R4 and at cume level CO252440.

        The profile in question has USER CLASS *USER, GROUP PROFILE *NONE,
OWNER
        *USRPRFand LIMIT CAPABILITIES *PARTIAL.

        I think this may be due to adopted authority, but I am not a
programmer and
        I have dug as far as I can into this.  Can someone shed some light
on this?
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].