× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



I am sorry, I seem to have opened a wound. (?) I believe I must have
misunderstood. You created QCMDEXC as a UDF. My initial thought when I saw
your example was that one could execute CL commands directly out of SQL.
That would seem to be a security issue.

As long as the UDF QCMDEXC is unique to your shop then that is fine. If you
are certain that the QCMDEXC will only ever be run by you then that is fine.
If you are certain that no one will be able to run SQL in your shop as
*SECADM except trusted resources, then that is fine.

For the record, I am all for code and utilities that make our jobs easier.
Your use of UDFs is creative and aggressive.


Paul Therrien
Andeco Software, LLC
932 Saint Johns Dr
Maryville, TN 37801
225-229-2491
paultherrien@xxxxxxxxxxxxxxxxxx
www.andecosoftware.com


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
Sent: Monday, March 14, 2011 11:36 AM
To: Midrange Systems Technical Discussion
Subject: RE: Using QCMDEXC in an SQL SELECT statement Was: Disabled User
Profiles

Paul,

Do not rely upon "security by obscurity". Creating QCMDEXC as a function
is not a security breach. If you do not have access to DLTUSRPRF you
still cannot run it by using the User Defined Function (UDF) QCMDEXC. The
only thing that the function does is allow you to run it easier. We
created is as a function for the myriad of CL programs we had written that
basically did
DSP... OUTPUT(*OUTFILE) ...
DCLF ...
READ:
RCVF
MONMSG MSGID(CPF0864) EXEC(GOTO CMDLBL(EOF))
/* Do something */
GOTO CMDLBL(READ)
EOF:
EXIT:
ENDPGM

Is the ability to write a CL program a security breach? Should that be
something that antivirus programs should stop? By default anyone can
write a CL program. You do not need the application tools on your system.
All systems have EDTF and CRTCLPGM. If you find the SQL UDF a security
breach because it can be used to run DLTUSRPRF then I suggest you stop
giving all your users *SECADM and *ALLOBJ. That's a step in the right
direction.

Is having the UDF a breach because it doesn't slow down the developer and
make him think? Then, by all means, let's put other impediments in his
path. Let's ban CL and force them to use MI. After all, did you see
anything in the CL sample above that did any comparison? What was to stop
this CL program from forgetting the "where" and deleting all user
profiles?


Rob Berendt

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.