|
Vern
Rob,
I think profile switching should only be done in batch jobs at night time, not in interactive jobs. And I also think, that profile swapping is (still) a great security hole.
I do not want to know what could and will happen (or even to find that out), if users get access to a command line after a profile switch.
It is easy to write a simple command using profile switching; half the code is in the manuals. If you have *USE rights to a user profile with higher authority, you can swap to that profile without knowing her password. I experienced once with this: being a user of class *SECOFR I granted myself the *USE right to the QSECOFR profile. Then swap to the QSECOFR profile (without entering a password) and I was the QSECOFR, viewing the DLO folders, as my user profile was not registered in the DIR.
Perhaps I should put the code on the list.
Regards, Carel Teijgeler
*********** REPLY SEPARATOR ***********
On 16-7-04 at 9:57 rob@xxxxxxxxx wrote:
>At one time IBM decided that using adopted authority should not work in certain situations, like creating certain group profiles, etc. >Perhaps they thought this was a security enhancement.Then they allowed a workaround with profile switching.
>
>So then, does this not allowing adopted authority in these situations now go into the realm of 'security by obscurity' and should they >just open these up to adopted authority? Or do you see a value into making people use these api's to do profile switching, - in this >situation - ?
>
>Now, I am not arguing that profile switching may not be useful in some client serving or web based applications. I am just arguing >about it in the first situations.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.