|
midrange.com
Thanks Rob
Bill Hopkins
rob@xxxxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 01:29 PM
Please respond to Midrange Systems Technical Discussion
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc:
Subject: Re: Not a security person but.
According to the help on CHGUSRPRF EXODUS should have had enough authority
to change BPHOPKINS and add *IOSYSCFG. Granted they did have *ALLOBJ,
but they didn't have *SECADM:
Restrictions:
1. You must have *SECADM special authority, and *OBJMGT and *USE
authorities to the user profile being changed to specify this
command.
2. You must have *USE authority to any of the following if
specified: the current library, program, menu, job
description, message queue, print device, output queue, and
ATTN key handling program.
Rob Berendt
--
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
Benjamin Franklin
"Bill Hopkins" <BHopkins@xxxxxxxxxxxxxxxxxxx>
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 11:45 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
To
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc
Subject
Re: Not a security person but.
As BHOPKINS I did not have *IOSYSCFG but I had the ability to change
EXODUS user's password and removed *signoff. I was then able to signon as
EXODUS and change BHOPKINS to have *IOSYSCFG. Which BHOPKINS was not
suppose to have. my profile was BHOPKINS below. Was trying to show to
the Ops Manager why they should not have *secofr or *secadm unless needed.
His thought was that since he did not give them *IOSYSCFG that they could
not do those things. I was showing otherwise. But I'm not sure what would
be be go security set up to group/limit these people. Probably just need
to do some reading tonight.
Sorry Rob I think about 20 pages ahead of what I type, it doesn't always
come out as clear as talking. Hell sometimes that doesn't even work right.
lol
Hope that is clearer.
Bill Hopkins
rob@xxxxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 11:10 AM
Please respond to Midrange Systems Technical Discussion
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxx>
cc:
Subject: Re: Not a security person but.
You left me a little confused:
EXODUS had *ALLOBJ and had *IOSYSCFG and initial menu of *SIGNOFF.
Then you changed EXODUS, with your special id, and gave them a password
and removed their initial menu of *SIGNOFF.
This person was able to sign on and change what? You said they gave
themselves *IOSYSCFG. However, by your writing, it looks like they
already had it.
Rob Berendt
--
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
Benjamin Franklin
"Bill Hopkins" <BHopkins@xxxxxxxxxxxxxxxxxxx>
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 10:48 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
To
MIDRANGE-L@xxxxxxxxxxxx
cc
Subject
Not a security person but.
This is what I was able to do:
My profile
*SECOFR
*ALLOBJ
*JOBCTL
*SECADM
*SERVICE
*SPLCTL
has init pgm and menu.
EXODUS server profile
*ALLOBJ
*IOSYSCFG
has *signoff
I changed EXODUS to have new password the changed to
have init pgm and menu. I then signon as EXODUS and changed my profile
to have *IOSYSCFG special authority. Signed back on and started my own
server.
What should I suggest to the Ops Manager to correct this work around?
Besides just changing my profile :) Others are out there like this( mainly
contractors ) and I'm
afraid they might come back after they leave. Should I voice my concern or
is there one.
Client did know of my actions so I wasn't doing this in the dark just
showing it to him. But my knowledge is limited in
this side of things what direction should he go.
Thanks
Bill Hopkins
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
