|
midrange.com
What about supplemental groups? That's been a real sore spot here.
Person's primary group didn't have any special authority, but their
supplemental group did.
Rob Berendt
--
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
Benjamin Franklin
"Bill Hopkins" <BHopkins@xxxxxxxxxxxxxxxxxxx>
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 02:23 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
To
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc
Subject
Re: Not a security person but.
I thought that since they had *IOSYSCFG that that was the reason they were
able to change another profile to have. Bacause I know that is all EXODUS
had I copied from profile straight to post in original email. Also know
they were not in any kind of group EXODUS could have gotten that power
from. Strange, I'll play with it and see if I why if that is the case.
I know it worked because that is how I got the server to run. It software
require QSECOFR or QSECOFR group and *IOSYSCFG. BHOPKINS was in QSECOFR
group but did not have *IOSYSOFR. That is why I barrowed from EXODUS.
Thanks for your help
Bill Hopkins
rob@xxxxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 01:44 PM
Please respond to Midrange Systems Technical Discussion
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxx>
cc:
Subject: Re: Not a security person but.
Correction should NOT have had...
Rob Berendt
--
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
Benjamin Franklin
rob@xxxxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 01:29 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
To
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc
Subject
Re: Not a security person but.
According to the help on CHGUSRPRF EXODUS should have had enough authority
to change BPHOPKINS and add *IOSYSCFG. Granted they did have *ALLOBJ,
but they didn't have *SECADM:
Restrictions:
1. You must have *SECADM special authority, and *OBJMGT and *USE
authorities to the user profile being changed to specify this
command.
2. You must have *USE authority to any of the following if
specified: the current library, program, menu, job
description, message queue, print device, output queue, and
ATTN key handling program.
Rob Berendt
--
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
Benjamin Franklin
"Bill Hopkins" <BHopkins@xxxxxxxxxxxxxxxxxxx>
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 11:45 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
To
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc
Subject
Re: Not a security person but.
As BHOPKINS I did not have *IOSYSCFG but I had the ability to change
EXODUS user's password and removed *signoff. I was then able to signon as
EXODUS and change BHOPKINS to have *IOSYSCFG. Which BHOPKINS was not
suppose to have. my profile was BHOPKINS below. Was trying to show to
the Ops Manager why they should not have *secofr or *secadm unless needed.
His thought was that since he did not give them *IOSYSCFG that they could
not do those things. I was showing otherwise. But I'm not sure what would
be be go security set up to group/limit these people. Probably just need
to do some reading tonight.
Sorry Rob I think about 20 pages ahead of what I type, it doesn't always
come out as clear as talking. Hell sometimes that doesn't even work right.
lol
Hope that is clearer.
Bill Hopkins
rob@xxxxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 11:10 AM
Please respond to Midrange Systems Technical Discussion
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxx>
cc:
Subject: Re: Not a security person but.
You left me a little confused:
EXODUS had *ALLOBJ and had *IOSYSCFG and initial menu of *SIGNOFF.
Then you changed EXODUS, with your special id, and gave them a password
and removed their initial menu of *SIGNOFF.
This person was able to sign on and change what? You said they gave
themselves *IOSYSCFG. However, by your writing, it looks like they
already had it.
Rob Berendt
--
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
Benjamin Franklin
"Bill Hopkins" <BHopkins@xxxxxxxxxxxxxxxxxxx>
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 10:48 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
To
MIDRANGE-L@xxxxxxxxxxxx
cc
Subject
Not a security person but.
This is what I was able to do:
My profile
*SECOFR
*ALLOBJ
*JOBCTL
*SECADM
*SERVICE
*SPLCTL
has init pgm and menu.
EXODUS server profile
*ALLOBJ
*IOSYSCFG
has *signoff
I changed EXODUS to have new password the changed to
have init pgm and menu. I then signon as EXODUS and changed my profile
to have *IOSYSCFG special authority. Signed back on and started my own
server.
What should I suggest to the Ops Manager to correct this work around?
Besides just changing my profile :) Others are out there like this( mainly
contractors ) and I'm
afraid they might come back after they leave. Should I voice my concern or
is there one.
Client did know of my actions so I wasn't doing this in the dark just
showing it to him. But my knowledge is limited in
this side of things what direction should he go.
Thanks
Bill Hopkins
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
