× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2008

Re: Anti-virus for i5OS

Forgive me if I'm wrong here, wouldn't be the first time, but I thought the following applied, at least at security level 40...

You need at least *SECADM authority to change a user profile, *ALLOBJ is not enough.

Message ID . . . . . . : CPF2292
Date sent . . . . . . : 04/02/08 Time sent . . . . . . : 10:44:32

Message . . . . : *SECADM required to create or change user profiles.

Special authority (SPCAUT) - Help

o The user profile creating or changing another user
profile must have all of the special authorities being
given. All special authorities are needed to give all
special authorities to another user profile.

o A user must have *ALLOBJ and *SECADM special
authorities to give a user *SECADM special authority
when using the CHGUSRPRF command.

o The user must have *ALLOBJ, *SECADM, and *AUDIT
special authorities to give a user *AUDIT special
authority when using the CHGUSRPRF command.

You can't submit a job as QSECOFR even if you do have *ALLOBJ. What you can do is submit a job as another user who has *SECADM, or *SECOFR, but that's an entirely different discussion.



Sorry, but a user with *ALLOBJ can give themselves *AUDIT, *IOSYSCFG,
*JOBCTL, *SAVSYS, *SECADM and *SPLCTL. From "Expert's Guide to OS/400 and
i5/OS Security", page 67:

"For example, *ALLOBJ special authority gives a user unlimited access to
and control over ALL objects-a user with *ALLOBJ special authority can
perform any function on any object on your system."

There is only a one step difference between a user with *ALLOBJ and
QSECOFR, that of the user with *ALLOBJ going into their own profile and
granting themselves the missing options. You can lock both *ALLOBJ users
and QSECOFR out of certain sysvals by pushing them up to SST level
maintenance, but if you've given a user *ALLOBJ you might as well have
made them QSECOFR.

Do you want your new software package to adjust your auditing level,
create a PPP connection and add a job schedule entry that calls home and
reports **anything it wants** from your system? ABC Corp may have just
used "social engineering" to get you to install your very own iSeries
virus!

A totally false question. Who is going to say yes? The point is that
merely changing the user id used for installation from QSECOFR to one with
*ALLOBJ hasn't fixed anything. I can do anything with *ALLOBJ that I can
do with QSECOFR. The user with *ALLOBJ has full rights to the QSECOFR
profile. If he doesn't, he can just grant himself those rights.

As hinted at above, you can push auditing values to SST level, so that
even QSECOFR can't change them. The point remains, *ALLOBJ is essentially
no different from QSECOFR..........


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.





As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.