|
Sorry, John, I've been at iSeries DevCon all week speaking. Nine sessions in three days, and there's not a lot of time left over for email <grin>. I'm pretty comfortable with what you've related. Averages are averages, and there are some pretty stinky machines out there that skew the averages a bit. At the same time, there are some issues.
And Third, relative to the JOBD exploit at QSECURITY level 30 and 40, if you have a JOBD with a user ID attached (Such as QGPL/QBATCH, which has QPGMR attached), and you are at QSECURITY level 30, and the user has *USE authority to just the JOBD, the user could submit a job as user QPGMR. At QSECURITY level 40 or 50 the user needs not only *USE authority to the JOBD, but also *USE authority to the user ID QPGMR in order to submit a job as QPGMR. That is a pretty significant difference between level 30 and higher.
I understand your point; that's probably why QBATCH is shipped without *PUBLIC use authority. But the knee-jerk reaction is to give QBATCH *USE access to everyone (because everybody needs to submit jobs!), and that opens up the hole. To be fair, it's not a huge hole; I don't know how many people give QPGMR dangerous authority. But it's certainly a hole. The pointer issue is a bigger one. I've proofed the MI exploit, but I've never done it using RPG. I don't want to know the code, but have you actually managed to get this to work via RPG? Joe
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
