× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2005

Re: ALWLMTUSR

First of all LMTCPB only limits commands that have DSPCMD yourcommand 
showing
Allow limited user . . . . . . . . . . :   *NO


There are numerous ways to thwart LMTCPB(*YES).

1 - as a further example to your question try this from your PC, assuming 
you're a Wintel / iSeries Access equipped client.
Start, Run, Cmd
then, in the DOS window,
rmtcmd //youriseriesName  DSPUSRPRF yourusrid output(*print)
And, even though DSPUSRPRF says Allow limited user . . . . . . . . . . : 
*NO, you will create a spool file even if your user profile is set up for 
LMTCPB(*YES)

2 - On older versions of OS/400 you used to be able to FTP to it and do 
something like:
quote rcmd dspusrprf yourusrid output(*print)
and it would work.  IBM tightened this one down.

3 - I suspect various Client Server and/or web applications would not 
respect this.

4 - RUNRMTCMD does seem to respect LMTCPB(*YES)

Rob Berendt
-- 
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





Alberto Amigoni <a.amigoni@xxxxxxxxxxxx> 
Sent by: midrange-l-bounces@xxxxxxxxxxxx
01/20/2005 04:34 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
midrange-l@xxxxxxxxxxxx
cc

Subject
ALWLMTUSR






Preparing for a security audit on our iSeries i set LMTCPB(*YES) for some 
users.

But i read, and ask for a confirm, that the user can't execute commands 
with ALWLMTUSR *YES, and
now i can't figure out  any method to retreive the list of command with
the parameter ALWLMTUSR *YES; is there any way to obtain such a list ?


And more, stated that the next paragraph is true:

"Security Warning: Don't rely on LMTCPB(*YES) to restrict command usage. 
IBM's distributed data management (DDM) architecture doesn't evaluate this 

attribute when an incoming Remote Command (RMTCMD) command is executed. 
So, users with LMTCPB(*YES) could still run commands using DDM's RMTCMD, 
which is simple to do when using Client Access Express."

is LMTCB really related to security ?


thank you 

ALBERT AMIGONI
-- 
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.