Rob, not to be evasive, but if I were to list various exploit possibilities
(which I
don't want on an open forum) and you determine that you have "closed that
door",
until one went through all the possibilities (which is beyond me) you might
still
feel it's safe for users to view all joblogs. I would start with the premise
that
user id's with *allobj should not be running any normal production jobs.
What I basically would not want is programmer, operations,whomever viewing
the part of the job stream where I am performing security functions, or
secure application functions.
jim


----- Original Message ----- 
From: <rob@xxxxxxxxx>
To: "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Sent: Monday, March 29, 2004 3:17 PM
Subject: Re: Turning off the requirement to have *allobj to look at the
joblog of a currently running *ALLOBJ job.


> Can you give an example of what you might see in the joblog that you
> wouldn't be able to see via something else in the job like call stack or
> open files; that would be determined to be a potential security breach?
>
> Rob Berendt
> -- 
> Group Dekko Services, LLC
> Dept 01.073
> PO Box 2000
> Dock 108
> 6928N 400E
> Kendallville, IN 46755
> http://www.dekko.com
>
>
>
>
>
> "Jim Franz" <franz400@xxxxxxxxxxxx>
> Sent by: midrange-l-bounces@xxxxxxxxxxxx
> 03/29/2004 03:10 PM
> Please respond to
> Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
>
>
> To
> "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
> cc
>
> Subject
> Re: Turning off the requirement to have *allobj to look at the  joblog of
> a currently running *ALLOBJ job.
>
>
>
>
>
>
> without *allobj, i should not even see the existence of objects I am
> *excluded from.
> viewing a job log could show how some of the defenses work.
> jim
>
> ----- Original Message ----- 
> From: <rob@xxxxxxxxx>
> To: "'Midrange Systems Technical Discussion'" <midrange-l@xxxxxxxxxxxx>
> Sent: Monday, March 29, 2004 2:46 PM
> Subject: Turning off the requirement to have *allobj to look at the joblog
> of a currently running *ALLOBJ job.
>
>
> > Some of my people here were in the habit of always submitting certain
> jobs
> > under user profiles with *ALLOBJ.  Really frustrated them when we
> > installed a certain release of OS years back and they could no longer
> look
> > at the job log if they didn't have *ALLOBJ authority themselves.  I
> > figured out how to turn this off so they could still look at these
> > joblogs.  It's under the host part of application administration under
> > iSeries Navigator.
> >
> > Honestly I am a little reluctant to do so.  They've finally started
> > cleaning up the process (getting their authorization lists right, not
> > submitting the jobs under an *ALLOBJ kind of person, etc.) and I hate to
> > derail that train.
> >
> > I never figured out what the big security breach was to look at the
> joblog
> > of a job running under a user with *ALLOBJ.  Is there any valid concern?
> >
> > Rob Berendt
> > -- 
> > Group Dekko Services, LLC
> > Dept 01.073
> > PO Box 2000
> > Dock 108
> > 6928N 400E
> > Kendallville, IN 46755
> > http://www.dekko.com
> >
> > _______________________________________________
> > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
> list
> > To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> > To subscribe, unsubscribe, or change list options,
> > visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> > or email: MIDRANGE-L-request@xxxxxxxxxxxx
> > Before posting, please take a moment to review the archives
> > at http://archive.midrange.com/midrange-l.
> >
> >
>
>
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
> list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
>
>
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
>
>



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.