Frank, The SEPT allows the calling program to bypass all the name resolution code and simply lookup the pointer to a program. However, authority checking occurs when you attempt to USE that pointer on a callx instruction so the SEPT in no way allows you to bypass object-level security. -Walden ------------ Walden H Leverich III President Tech Software (516)627-3800 x11 WaldenL@TechSoftInc.com http://www.TechSoftInc.com -----Original Message----- From: Frank.Kolmann@revlon.com [mailto:Frank.Kolmann@revlon.com] Sent: Wednesday, December 19, 2001 19:14 To: email@example.com Subject: IBM supplied QPGMR (was Modify SYSVAL QSYSLIBL) Hi Simon, >>Why this happened is he tried to start QSH after the V4R5 upgrade. For >>some reason it was not installed properly, but he found that there was >>a QSH in QSYSV4R4M0, hence the rest. >And you are paying this person real money? Can I come and work for >you? I could be asleep for most of the day and still shine brighter >than that spark! There is a serious lack of logical thought involved >in the process indicated by your paragraph. We all know you are bright Simon, you can work for me any time, by the way what are your rates (perhaps I can afford them). As for 'logical thought', we can't all be Vulcans (FIAWOL). In the meantine I will work with ordinary mortals. >CHGSYSVAL is shipped with much more >access (QSYS, QSRV, QSYSOPR, QPGMR, and QSRVDRCTR). >As you have discovered, that command is a good way to expose your >system. There is very little reason for anyone to have authority to >commands that alter the system portion of the library list. 'expose?' I liked Als term better 'crater'. After discussions with others there is probably a simple work around, that is use a qualified command 'QSYS/CHGSYSVAL' to reset the SYSVAL. >Which also leads on to the security issues involved in making >programmers and users part of the IBM-supplied profiles. They simply >shouldn't be used -- exceptions are QSECOFR and QSYSOPR for actual >signon, and QSRV when an engineer is actually using it. You really >should create your own programmer group, grant it only the authority >needed by the job role (which is NOT all that QPGMR can do regardless >of how the programmers may bleat), and assign your developers to that >group. None of the IBM profiles should be a group profile because they >generally have far more authority than programmers, operators, and user >require. > >Regards, >Simon Coulter. I would suggest that most AS400 shops use the QPGMR profile for programmer access. Tailoring user profiles to specific jobs seems to be a headache. I suppose some people do this, but not many. We use AS400 security to keep programmers out of production databases (program and data) but I suggest a a lot of shops do not even do that much. Is it asking too much for examples of which QPGMR authorities should be revoked. As a complete aside I was wondering what Walden was on about re. SEPT. This is the first I heard about SEPT. Seems to me that accessing system programs via SEPT completely bypass AS400 security checking. I am probably wrong. Frank Kolmann _______________________________________________ This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@midrange.com To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l or email: MIDRANGE-Lfirstname.lastname@example.org Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.