× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. June 2021

Re: IBM i security question

Initial menu, and limited capability are a great tool to limit
potential damage by users (on green screen)
Remember that those restrictions do not apply when accessing via ODBC or
ssh or ftp...
Make sure that there are no objects with *public *all.
Even *public *use will allow anybody to download the file using ftp.

On Wed, Jun 23, 2021 at 7:28 AM Rob Berendt <rob@xxxxxxxxx> wrote:

I was corrected, GO does not allow a user with limited capabilities to run
it from the command line.
However, since MAIN is the default menu for users, and leaves a LOT of
potentially damaging access to your systems, I'd still suggest changing the
default menu for users to *SIGNOFF.

Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 7310 Innovation Blvd, Suite 104
Ft. Wayne, IN 46818
Ship to: 7310 Innovation Blvd, Dock 9C
Ft. Wayne, IN 46818
http://www.dekko.com


-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Rob
Berendt
Sent: Tuesday, June 22, 2021 4:38 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: IBM i security question

Quite simple really.
CHGCMD CMD(SIGNOFF) ALWLMTUSR(*YES)
So your users can have command line but only to the commands with
ALWLMTUSR(*YES)

Here's a scary thing to try:
Sign on as a user with limited capability
Type in this command:
GO MAIN
4. Files, libraries, and folders
1. Files

1. Work with files
4=Delete
Or
7. Data File Utility (DFU)

This is why we changed all limited capability users from
Initial menu . . . . . . . . . . MAIN
To
Initial menu . . . . . . . . . . *SIGNOFF

With *SIGNOFF if they exit their initial program they are signed off
instead of returned to the MAIN menu.

That project to secure the data so they can only get to it via
"Application Only Access" keeps getting back burnered.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 7310 Innovation Blvd, Suite 104
Ft. Wayne, IN 46818
Ship to: 7310 Innovation Blvd, Dock 9C
Ft. Wayne, IN 46818
http://www.dekko.com


-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
Howie, Bill
Sent: Tuesday, June 22, 2021 4:16 PM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Subject: IBM i security question

CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know
the content is safe.


Hello all,

We have an environment where some users are currently set up with the
Limit Capabilities option set to *NO on their user profile. In conjunction
with that, we have an array of homegrown commands that have been created as
shortcuts to different programs within the system. I really don't like the
users having command line access, because it opens them up to being able to
do a lot of damage to the system if they so desire. It seems to me the
only alternative would be to remove the command line access and change
everything they have commands for to run off of menu options. Is there a
way to somehow limit them to the homegrown commands but prevent them from
access to things like ending subsystems or other jobs in the system, etc.?
One of these folks is of the user class *USER and one is of the *PGMR user
class (I'm guessing pretty obviously we'd want to downgrade the user class
on this one). Or is it that if you have command line access, it's to all
commands and there is really no w
ay to limit it? Any info on this would be greatly appreciated. Thanks
for your time!

[Related image]<https://www.hc-companies.com/>Bill Howie
Senior ERP Programmer/Analyst
Direct: 330.487.3739 | Cell: 330.888.8085 | Toll Free: 800.225.7712
2450 Edison Blvd, Suite 3, Twinsburg OH 44087
hc-companies.com<https://www.hc-companies.com/>
Leader in Horticultural Containers
[cid:image003.png@01D76781.CECC8130]<
https://www.linkedin.com/company/the-hc-companies>
[cid:image004.png@01D76781.CECC8130] <
https://www.facebook.com/HCCompanies/>
[cid:image005.png@01D76781.CECC8130] <
https://www.instagram.com/hccompanies/>
[cid:image006.png@01D76781.CECC8130] <https://twitter.com/hc_companies>

Disclaimer

The information contained in this communication from the sender is
confidential. It is intended solely for use by the recipient and others
authorized to receive it. If you are not the recipient, you are hereby
notified that any disclosure, copying, distribution or taking action in
relation of the contents of this information is strictly prohibited and may
be unlawful.

This email has been scanned for viruses and malware, and may have been
automatically archived by Mimecast Ltd, an innovator in Software as a
Service (SaaS) for business. Providing a safer and more useful place for
your human generated data. Specializing in; Security, archiving and
compliance. To find out more visit the Mimecast website.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.