RE: IBM supplied QPGMR (was Modify SYSVAL QSYSLIBL) -- MIDRANGE-L

Frank,

The SEPT allows the calling program to bypass all the name resolution code
and simply lookup the pointer to a program. However, authority checking
occurs when you attempt to USE that pointer on a callx instruction so the
SEPT in no way allows you to bypass object-level security.

-Walden

------------
Walden H Leverich III
President
Tech Software
(516)627-3800 x11
WaldenL@TechSoftInc.com
http://www.TechSoftInc.com



-----Original Message-----
From: Frank.Kolmann@revlon.com [mailto:Frank.Kolmann@revlon.com]
Sent: Wednesday, December 19, 2001 19:14
To: midrange-l@midrange.com
Subject: IBM supplied QPGMR (was Modify SYSVAL QSYSLIBL)


Hi Simon,


>>Why this happened is he tried to start QSH after the V4R5 upgrade. For
>>some reason it was not installed properly, but he found that there was
>>a QSH in QSYSV4R4M0, hence the rest.

>And you are paying this person real money?  Can I come and work for
>you? I could be asleep for most of the day and still shine brighter
>than that spark!  There is a serious lack of logical thought involved
>in the process indicated by your paragraph.

We all know you are bright Simon, you can work for me any time, by the way
what are your rates (perhaps I can afford them). As for 'logical thought',
we can't all be Vulcans (FIAWOL). In the meantine I will work with ordinary
mortals.

>CHGSYSVAL is shipped with much more
>access (QSYS, QSRV, QSYSOPR, QPGMR, and QSRVDRCTR).
>As you have discovered, that command is a good way to expose your
>system. There is very little reason for anyone to have authority to
>commands that alter the system portion of the library list.

'expose?' I liked Als term better 'crater'.
After discussions with others there is probably a simple work around, that
is use a qualified command 'QSYS/CHGSYSVAL' to reset the SYSVAL.


>Which also leads on to the security issues involved in making
>programmers and users part of the IBM-supplied profiles.  They simply
>shouldn't be used -- exceptions are QSECOFR and QSYSOPR for actual
>signon, and QSRV when an engineer is actually using it.  You really
>should create your own programmer group, grant it only the authority
>needed by the job role (which is NOT all that QPGMR can do regardless
>of how the programmers may bleat), and assign your developers to that
>group.  None of the IBM profiles should be a group profile because they
>generally have far more authority than programmers, operators, and user
>require.
>
>Regards,
>Simon Coulter.

I would suggest that most AS400 shops use the QPGMR profile for programmer
access.  Tailoring user profiles to specific jobs seems to be a headache. I
suppose some people do this, but not many. We use AS400 security to keep
programmers out of production databases (program and data) but I suggest a a
lot of shops do not even do that much. Is it asking too much for examples of
which QPGMR authorities should be revoked.

As a complete aside I was wondering what Walden was on about re. SEPT. This
is the first I heard about SEPT. Seems to me that accessing system programs
via SEPT completely bypass AS400 security checking. I am probably wrong.


Frank Kolmann

_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@midrange.com To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
or email: MIDRANGE-L-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.