There is nothing "special" about the *PRV libraries, they are normal
everyday libraries from an object point of view. The change you're
suggesting would require a change to every piece of the system that deals
with library lists and since we just had one of those at V5R1 I don't think
you'll find Rochester too egger to make another such change anytime soon.

-Walden

------------
Walden H Leverich III
President
Tech Software
(516)627-3800 x11
WaldenL@TechSoftInc.com
http://www.TechSoftInc.com



-----Original Message-----
From: Frank.Kolmann@revlon.com [mailto:Frank.Kolmann@revlon.com]
Sent: Monday, December 17, 2001 17:53
To: midrange-l@midrange.com
Subject: Re: Modify SYSVAL QSYSLIBL (Greg Day)



>>Frank Kolmann wrote:
>>I dont have a reason as such. One of our programmers
>>modified a jobs *LIBL (system portion) with CHGSYSLIBL.
>>Could not even do a SYS REQ cancel, or SIGNOFF.
>>It is simply something that is very easy to do and
>>I suspect will disable the AS400.
>>IBM should prevent the backwards compatibility libs
>>getting into the SYSLIBL.
>
>From: "Greg Day" <greg_day@hotmail.com>
>Frank,
>Your programmer didn't have a reason? That's not very logical.
>
>Sounds like she/he also has *ALLOBJ authority if she/he has access to
>the CHGSYSLIBL command (ships PUBLIC *EXCLUDE). Likewise, to change
>system
value
>QSYSLIBL you need special authority not normally recommended for a
>programmer.
>
>Do you know what other damage an *ALLOBJ user can do to your system if
they
>just try things for no reason. These a few commands that spring to mind
>(I won't mention them here in case your programmer is watching :)) -
>all of which are just too easy to use.
>
>I think you are asking too much for IBM to prevent these sorts of
programmer
>actions.
>
>Greg.

Hi Greg,

The backwards compatibility libraries exist for special reasons and I do not
think it is asking too much,that one of the special reasons is that they
'are prevented from being added to the LibL'.

On our system no one (except QSECOFR) has *ALLOBJ aut.

Why this happened is he tried to start QSH after the V4R5 upgrade. For some
reason it was not installed properly, but he found that there was a QSH in
QSYSV4R4M0, hence the rest.

These are the authority settings. Basically QPGMR.
Also QPGMR on our machine has access to both
CHGSYSLIBL and CHGSYSVAL,  I am not aware that we
did anything special to enable this.


User class . . . . . . . . . . . . . . . . :   *PGMR
Special authority  . . . . . . . . . . . . :   *JOBCTL
                                               *SAVSYS
Group profile  . . . . . . . . . . . . . . :   QPGMR
Owner  . . . . . . . . . . . . . . . . . . :   *GRPPRF
Group authority  . . . . . . . . . . . . . :   *NONE
Group authority type . . . . . . . . . . . :   *PRIVATE
Supplemental groups  . . . . . . . . . . . :   *NONE
Assistance level . . . . . . . . . . . . . :   *SYSVAL

 Object . . . . . . . :   CHGSYSLIBL      Owner  . . . . . . . :   QSYS
   Library  . . . . . :     QSYS          Primary group  . . . :   *NONE
 Object type  . . . . :   *CMD

 Object secured by authorization list  . . . . . . . . . . . . :   *NONE

                          Object
 User        Group       Authority
 *GROUP      QPGMR       *USE


Frank Kolmann



_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@midrange.com To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
or email: MIDRANGE-L-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].