>>Frank Kolmann wrote:
>>I dont have a reason as such. One of our programmers
>>modified a jobs *LIBL (system portion) with CHGSYSLIBL.
>>Could not even do a SYS REQ cancel, or SIGNOFF.
>>It is simply something that is very easy to do and
>>I suspect will disable the AS400.
>>IBM should prevent the backwards compatibility libs
>>getting into the SYSLIBL.
>
>From: "Greg Day" <greg_day@hotmail.com>
>Frank,
>Your programmer didn't have a reason? That's not very logical.
>
>Sounds like she/he also has *ALLOBJ authority if she/he has access to the
>CHGSYSLIBL command (ships PUBLIC *EXCLUDE). Likewise, to change system
value
>QSYSLIBL you need special authority not normally recommended for a
>programmer.
>
>Do you know what other damage an *ALLOBJ user can do to your system if
they
>just try things for no reason. These a few commands that spring to mind (I
>won't mention them here in case your programmer is watching :)) - all of
>which are just too easy to use.
>
>I think you are asking too much for IBM to prevent these sorts of
programmer
>actions.
>
>Greg.

Hi Greg,

The backwards compatibility libraries exist for special reasons
and I do not think it is asking too much,that one of the special
reasons is that they 'are prevented from being added to the LibL'.

On our system no one (except QSECOFR) has *ALLOBJ aut.

Why this happened is he tried to start QSH after the V4R5 upgrade.
For some reason it was not installed properly, but he found that
there was a QSH in QSYSV4R4M0, hence the rest.

These are the authority settings. Basically QPGMR.
Also QPGMR on our machine has access to both
CHGSYSLIBL and CHGSYSVAL,  I am not aware that we
did anything special to enable this.


User class . . . . . . . . . . . . . . . . :   *PGMR
Special authority  . . . . . . . . . . . . :   *JOBCTL
                                               *SAVSYS
Group profile  . . . . . . . . . . . . . . :   QPGMR
Owner  . . . . . . . . . . . . . . . . . . :   *GRPPRF
Group authority  . . . . . . . . . . . . . :   *NONE
Group authority type . . . . . . . . . . . :   *PRIVATE
Supplemental groups  . . . . . . . . . . . :   *NONE
Assistance level . . . . . . . . . . . . . :   *SYSVAL

 Object . . . . . . . :   CHGSYSLIBL      Owner  . . . . . . . :   QSYS
   Library  . . . . . :     QSYS          Primary group  . . . :   *NONE
 Object type  . . . . :   *CMD

 Object secured by authorization list  . . . . . . . . . . . . :   *NONE

                          Object
 User        Group       Authority
 *GROUP      QPGMR       *USE


Frank Kolmann





As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.