× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



QSCANFSCTL wrote:
After installing vendor software signed on with *ALLOBJ authority you should
run a CHKOBJITG to look for IBM objects that fail a signature check. There
are several 3rd party vendors that modify QSYS objects using unsupported
interfaces. A CHKOBJITG will detect that. If something was changed that was
not documented or disclosed then I would question that.

Supposedly patching programs is harder to do on V5R4.  Vendors depending
on things like system state patches may run into trouble.


To answer your question, yes I know of malicious code that ran/runs on
OS/400. And back doors can be installed by QPGMR just as easily as QSECOFR.
Since this is an open forum I'm going to leave it at that.

I'll just take your word on this.  I can't image why a vendor would want
to create "malware" or how they could stay in business for very long.
Word would get out and that would be the end of them.


Some types of software, especially security software, is going to require
you to run programs at some time or another signed on with *ALLOBJ
authority. Whether that is at install time or any other time its all the
same. It would be nice if we could just have customers run commands we need
using standard IBM commands from a command line. But many APIs can't be run
from a command line because they require a complex set of parameters and
data structures. For example, how you would call an API from a command line
and pass on open file descriptor? You can't. So that requires you to sign on
with *ALLOBJ authority and run a menu option or vendor-supplied command.

A good argument for the value of an installation program.


Theoretically a back door could be installed at that time just as easily as
during install time.

Yes, just running (executing) an unknown (not verified) program is
risky.  This is why the truly paranoid only run open source software.


In the end you should have a good trusting relationship with your software
vendor (or be dealing with an established business partner) when using
*ALLOBJ authority. Perhaps I would be suspicious of downloading something
off the Internet from an unknown company. On the other hand, I would be less
suspicous of installing SAP, or JDE, or any other advanced level IBM
business partner product, using *ALLOBJ authority. An established vendor is
not likely to risk their entire business to intentionally install a back
door on your computer for malicous purposes.

Makes sense to me.

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.