Well.. we do have a pretty secure network.. behind a number of firewalls.. so there is a level of security within the internal network that I can feel pretty confident might suffice. I am also pretty sure the users from one division can't cross over to the users of another without passing through their firewalls, traversing their VPN's etc. Most of the "divisions" act somewhat independently, with each site having its own accounting, etc. I don't think all locations feed into on central data center per say... so without knowing each specific user name, site, and unique identifiers, public pretty much means the 3 people on the particular site.
I certainly want to put public back to exclude... but.. I matched up line for line the other 2 users profile, I can't see anything that leads me to believe she is excluded from some "global group" that I am missing. In fact.. one of the users in that division as a profile labeled usrprf, the other 2 have grpprf... and usrprf isn't the one having the issue.. so this is a good mytsery.
I am still looking at how to make it as right as the other 2 on that site.. but so far still coming up empty as to what's different.
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Charles Wilt
Sent: Tuesday, September 30, 2014 10:28 AM
To: Midrange Systems Technical Discussion
Subject: Public authority (was Re: upload file error)
On Tue, Sep 30, 2014 at 10:04 AM, Buck Calabro <kc2hiz@xxxxxxxxx> wrote:
I don't want to sound like a jerk but I come by it naturally :-)
*PUBLIC is everybody in the universe, not just the 3 users in that
portion of the company. If I had your machine's IP address, I could
almost certainly read and modify the contents of that file from here.
--buck
Not quite...let's not panic the guy Buck!...
*PUBLIC is every user profile on the machine that doesn't have explicit private authorities. So anybody with credentials on the machine can modify that file now.
So it'd take Buck more than just knowing the IP of the machine, even assuming it's not behind a firewall. He'd have to know or be able to guess a valid user profile/ password combination.
Hopefully you don't have any default passwords, where the password = user ID. You can check by doing, GO SECTOOLS and selecting option 1 = Analyze default passwords.
Then there are anonymous services, such as FTP or the Netserver "Guest"
account. Anonymous FTP isn't allowed by default, you have to have create or buy an FTP exit point program to enabled it.
http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzaiq/rzaiqftpanon.htm
You can check for exit programs via
WRKREGINF EXITPNT(QIBM_QTMF_SVR_LOGON)
Look at the line
Current number of exit programs . . . : 0
The "Guest" netserver account is basically a generic account used by the IBM SMB (windows) file server. It's used when a windows users tries to access a IBM i Netserver file share and there isn't a matching IBM i user ID. Again, it is not enabled by default. You'd need to use the IBM i Navigator GUI to see if it is enabled.
http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzahl/rzahlguestprofs.htm
Charles
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
midrange.com
