|
midrange.com
> Am I reading this right? Joe User can sign on with his profile, use some
> magic command, and he can become QSECOFR? With no trace back to Joe
> User's profile?
This is only if the user has *USE authority to the user profile. Your
users don't have *USE authority to QSECOFR, do they?!
A user with *USE authority to QSECOFR can run the following command and it
will succeed:
ADDJOBSCDE JOB(TEST) CMD(CHGUSRPRF USRPRF(MYUSRPRF) SPCAUT(*ALLOBJ
*SECADM)) FRQ(*ONCE) USER(QSECOFR)
Now that they've got *ALLOBJ and *SECADM authority, they can do anything
they want.
And all of this is possible without profile switching!
If you don't have *USE authority, then you have to know QSECOFR's password
to use profile switching. If you know the password, you'd be able to log
on as QSECOFR directly and the ability to switch wouldn't matter much!
In reality, the scary part would be someone who has *USE authority to
QSECOFR!!
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
