The SEPT allows the calling program to bypass all the name resolution code
and simply lookup the pointer to a program. However, authority checking
occurs when you attempt to USE that pointer on a callx instruction so the
SEPT in no way allows you to bypass object-level security.


Walden H Leverich III
Tech Software
(516)627-3800 x11

-----Original Message-----
From: []
Sent: Wednesday, December 19, 2001 19:14
Subject: IBM supplied QPGMR (was Modify SYSVAL QSYSLIBL)

Hi Simon,

>>Why this happened is he tried to start QSH after the V4R5 upgrade. For
>>some reason it was not installed properly, but he found that there was
>>a QSH in QSYSV4R4M0, hence the rest.

>And you are paying this person real money?  Can I come and work for
>you? I could be asleep for most of the day and still shine brighter
>than that spark!  There is a serious lack of logical thought involved
>in the process indicated by your paragraph.

We all know you are bright Simon, you can work for me any time, by the way
what are your rates (perhaps I can afford them). As for 'logical thought',
we can't all be Vulcans (FIAWOL). In the meantine I will work with ordinary

>CHGSYSVAL is shipped with much more
>As you have discovered, that command is a good way to expose your
>system. There is very little reason for anyone to have authority to
>commands that alter the system portion of the library list.

'expose?' I liked Als term better 'crater'.
After discussions with others there is probably a simple work around, that
is use a qualified command 'QSYS/CHGSYSVAL' to reset the SYSVAL.

>Which also leads on to the security issues involved in making
>programmers and users part of the IBM-supplied profiles.  They simply
>shouldn't be used -- exceptions are QSECOFR and QSYSOPR for actual
>signon, and QSRV when an engineer is actually using it.  You really
>should create your own programmer group, grant it only the authority
>needed by the job role (which is NOT all that QPGMR can do regardless
>of how the programmers may bleat), and assign your developers to that
>group.  None of the IBM profiles should be a group profile because they
>generally have far more authority than programmers, operators, and user
>Simon Coulter.

I would suggest that most AS400 shops use the QPGMR profile for programmer
access.  Tailoring user profiles to specific jobs seems to be a headache. I
suppose some people do this, but not many. We use AS400 security to keep
programmers out of production databases (program and data) but I suggest a a
lot of shops do not even do that much. Is it asking too much for examples of
which QPGMR authorities should be revoked.

As a complete aside I was wondering what Walden was on about re. SEPT. This
is the first I heard about SEPT. Seems to me that accessing system programs
via SEPT completely bypass AS400 security checking. I am probably wrong.

Frank Kolmann

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: To subscribe, unsubscribe,
or change list options,
or email:
Before posting, please take a moment to review the archives

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.