RE: Anti-virus for i5OS

["John Earl" <john.earl@xxxxxxxxxxxxx>]

> Forgive me if I'm wrong here, wouldn't be the first time, but 
> I thought the following applied, at least at security level 40...

For the purposes of this discussion of special authorities, QSECURITY
level 40 has little or no bearing.


> You need at least *SECADM authority to change a user profile, 
> *ALLOBJ is not enough.

True.  To the best of my knowledge, it has always been this way.

> You can't submit a job as QSECOFR even if you do have 
> *ALLOBJ. 
Hmm - I'm not sure if that is true - and I'm on an airplane now so I
can't test.  But even if it is true, I know that you can use the profile
swap API's to become QSECOFR if you have at least *USE authority to
QSECOFR, and I believe that a user with *ALLOBJ can ADDJOBSCDE for the
user QSECOFR, so there are a number of ways to skin that cat.

jte

--
 
John Earl, VP and Chief Technology Officer
PowerTech:   253-872-7788
Direct:          253-479-1408
Mobile:          206-669-3336
John.Earl@xxxxxxxxxxxxx
 

 
 
Email is an excellent way to communicate material that is not time
sensitive.  If your communication is of a more urgent nature, please
call. 
 
===========================
This email message and any attachments are intended only for the use of
the intended recipient named above and may contain information that is
privileged and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message or by telephone and delete the
message from your email system. Thank you.
 

> -----Original Message-----
> From: midrange-l-bounces@xxxxxxxxxxxx 
> [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Crispin Bates
> Sent: Wednesday, April 02, 2008 7:54 AM
> To: Midrange Systems Technical Discussion
> Subject: Re: Anti-virus for i5OS
>
> Forgive me if I'm wrong here, wouldn't be the first time, but 
> I thought the following applied, at least at security level 40...
>
> You need at least *SECADM authority to change a user profile, 
> *ALLOBJ is not enough.
>
> Message ID . . . . . . :   CPF2292
> Date sent  . . . . . . :   04/02/08      Time sent  . . . . . 
> . :   10:44:32
>
> Message . . . . :   *SECADM required to create or change user 
> profiles.
>
>              Special authority (SPCAUT) - Help
>
>   o  The user profile creating or changing another user
>      profile must have all of the special authorities being
>      given. All special authorities are needed to give all
>      special authorities to another user profile.
>
>   o  A user must have *ALLOBJ and *SECADM special
>      authorities to give a user *SECADM special authority
>      when using the CHGUSRPRF command.
>
>   o  The user must have *ALLOBJ, *SECADM, and *AUDIT
>     special authorities to give a user *AUDIT special
>     authority when using the CHGUSRPRF command.
>
> You can't submit a job as QSECOFR even if you do have 
> *ALLOBJ. What you can do is submit a job as another user who 
> has *SECADM, or *SECOFR, but that's an entirely different discussion.
>
>
>
> > Sorry, but a user with *ALLOBJ can give themselves *AUDIT, 
> *IOSYSCFG, 
> > *JOBCTL, *SAVSYS, *SECADM and *SPLCTL.  From "Expert's 
> Guide to OS/400 
> > and i5/OS Security", page 67:
> >
> > "For example, *ALLOBJ special authority gives a user 
> unlimited access 
> > to and control over ALL objects-a user with *ALLOBJ special 
> authority 
> > can perform any function on any object on your system."
> >
> > There is only a one step difference between a user with *ALLOBJ and 
> > QSECOFR, that of the user with *ALLOBJ going into their own profile 
> > and granting themselves the missing options.  You can lock both 
> > *ALLOBJ users and QSECOFR out of certain sysvals by pushing 
> them up to 
> > SST level maintenance, but if you've given a user *ALLOBJ 
> you might as 
> > well have made them QSECOFR.
> >
> > > Do you want your new software package to adjust your 
> auditing level, 
> > > create a PPP connection and add a job schedule entry that 
> calls home 
> > > and reports **anything it wants** from your system?  ABC Corp may 
> > > have just used "social engineering" to get you to install 
> your very 
> > > own iSeries virus!
> >
> > A totally false question.  Who is going to say yes?  The 
> point is that 
> > merely changing the user id used for installation from 
> QSECOFR to one 
> > with *ALLOBJ hasn't fixed anything. I can do anything with *ALLOBJ 
> > that I can do with QSECOFR.  The user with *ALLOBJ has full 
> rights to 
> > the QSECOFR profile.  If he doesn't, he can just grant 
> himself those rights.
> > As hinted at above, you can push auditing values to SST 
> level, so that 
> > even QSECOFR can't change them.  The point remains, *ALLOBJ is 
> > essentially no different from QSECOFR..........
> >
> >
> > --
> > This is the Midrange Systems Technical Discussion 
> (MIDRANGE-L) mailing 
> > list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, 
> > unsubscribe, or change list options,
> > visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> > or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, 
> please take 
> > a moment to review the archives at 
> > http://archive.midrange.com/midrange-l.
>
>
> --
> This is the Midrange Systems Technical Discussion 
> (MIDRANGE-L) mailing list To post a message email: 
> MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change 
> list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, 
> please take a moment to review the archives at 
> http://archive.midrange.com/midrange-l.