× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. September 2002

Re: PWRDWNSYS - Trivia

Hello Justin,

You wrote:
>... First of all I would strip all authority from the PWRDWNSYS command so
>that only QSECOFR could issue the command ...

I'm not picking on you specifically.  You were just the first to make this
suggestion.

It has been a VERY LONG TIME since PWRDWNSYS had *PUBLIC *USE authority.  It
was that way on S/38 CPF 8.0 and possibly for early OS/400 releases but IBM
have shipped PWRDWNSYS with severe restrictions for a very long time.

PWRDWNSYS is restricted to QSECOFR, any user with *ALLOBJ, and is
specifically authorised to QSYSOPR.  That's it!  Oh, the security reference
also says you also need *JOBCTL before you can run it.  That's pretty
secure.

If your ordinary joe/janet users can run PWRDWNSYS then:

        a) Your users have far too much authority
        b) You are running at QSECURITY less than 30
        c) You run some crappy ERP system that requires users to have
*ALLOBJ and/or *JOBCTL -- think Just Don't Ever
        d) *PUBLIC have been specifically granted rights to PWRDWNSYS
        e) Your security officer is an idiot

in which case you get what you deserve.  IBM can't protect the fools from
themselves.

P.S. IT Managers are the bane of Operations.  Someone recounted the
annecdote of one intending to prompt PWRDWNSYS but presssing Enter.  My
idiot manager pressed the Load button on the S/38 (because the IPL was
taking too long, or he liked the pretty colour of the Load button -- light
sky blue as I recall, or something equally lame).

We'd had a power failure, the system was on UPS, and had shutdown normally.
I had dialled IPL on the rotary switches and had left it IPLing while I
popped out for something.  Foolishly, I had left the rotary switches where
they were. Needless to say I always disabled the rotary switches immediately
they had been used after that episode.

The same manager also switched off a 9332 drive to 'prove' checksum worked
which resulted in me buying a set of perspex power switch covers.  He
thought the system would keep running.  Jeez!

Regards,
Simon Coulter.
--------------------------------------------------------------------
   FlyByNight Software         AS/400 Technical Specialists
   http://www.flybynight.com.au/

   Phone: +61 3 9419 0175   Mobile: +61 0411 091 400        /"\
   Fax:   +61 3 9419 0175   mailto: shc@flybynight.com.au   \ /
                                                             X
                 ASCII Ribbon campaign against HTML E-Mail  / \
--------------------------------------------------------------------

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.