× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. July 2004

RE: Adopted authority vs profile switching

GA,

Agree with Joe's reply, some has "messed" with your machine.  You might also
want to look at the permissions assigned to QSYS.

HTH,

Michael Rooney
Citigroup International

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of G Armour
Sent: Thursday, July 22, 2004 12:50 PM
To: Midrange Systems Technical Discussion
Subject: RE: Adopted authority vs profile switching


                Display Object Authority             
                                                     
 Object .  . . : QSECOFR   Owner  . . . . . : QSYS   
   Library . . :   QSYS    Primary group  . : *NONE  
 Object type . : *USRPRF   ASP device . . . : *SYSBAS
                                                     
                   Object     -Object--   --Data---  
 User     Group   Authority   O M E A R   R A U D E  
 QSYS             *ALL        X X X X X   X X X X X  
 QSECOFR          *ALL        X X X X X   X X X X X  
 *PUBLIC          *USE        X           X       X  

Other than shifting the contents so it wouldn't wrap in this email, this
is the actual screen.

Is this the shipped default?  Or did someone change this?

Looks like we have some auditing to do!

GA

--- Scott Klement <midrange-l@xxxxxxxxxxxxxxxx> wrote:
> 
> > Am I reading this right?  Joe User can sign on with his profile, use
> some
> > magic command, and he can become QSECOFR?  With no trace back to Joe
> > User's profile?
> 
> This is only if the user has *USE authority to the user profile.  Your
> users don't have *USE authority to QSECOFR, do they?!
> 
> A user with *USE authority to QSECOFR can run the following command and
> it
> will succeed:
> 
> ADDJOBSCDE JOB(TEST) CMD(CHGUSRPRF USRPRF(MYUSRPRF) SPCAUT(*ALLOBJ
>            *SECADM)) FRQ(*ONCE) USER(QSECOFR)
> 
> Now that they've got *ALLOBJ and *SECADM authority, they can do anything
> they want.
> 
> And all of this is possible without profile switching!
> 
> If you don't have *USE authority, then you have to know QSECOFR's
> password
> to use profile switching.  If you know the password, you'd be able to
> log
> on as QSECOFR directly and the ability to switch wouldn't matter much!
> 
> In reality, the scary part would be someone who has *USE authority to
> QSECOFR!!


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.