× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2005

Re: Recent bugtraq postings


On 23/04/2005, at 1:28 AM, rob@xxxxxxxxx wrote:

After typing that up I tried another WRKUSRPRF *ALL as a limited user
profile.  They can see some user profiles but not all.  I wonder how it
makes the determination?

The same way as everything else related to authority. The user must have some authority to the profile before it will appear in the list.

Display the authorities of the listed profiles and you'll probably find *PUBLIC have some level of authority. For example:
QDBSHR *PUBLIC Add, Delete
QSPLJOB *PUBLIC *USE

and so on.

Like most of these so-called exploits the 'evil hacker' usually needs access to the system which in most cases means they already have a *USRPRF which probably means they are in a position of trust (employee, contractor, etc.) and those people are always a risk from a security perspective. Your only real choice is to set proper object-level authorities, use the audit control values to monitor what is occurring, and implement a workable process for disabling access to all systems when a trusted person leaves.

Regards,
Simon Coulter.
--------------------------------------------------------------------
   FlyByNight Software         AS/400 Technical Specialists

   http://www.flybynight.com.au/
   Phone: +61 3 9419 0175   Mobile: +61 0411 091 400        /"\
   Fax:   +61 3 9419 0175                                   \ /
                                                             X
                 ASCII Ribbon campaign against HTML E-Mail  / \
--------------------------------------------------------------------



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.