|
Hmm.. that could bring up some interesting uses, and if done right you could just check to see if the user profile had the authority to the program you wanted to run. I think that would be a way to go, but I think I would limit any program this CGI could run to a certain library. And then check the user's authority to it. That way you get double security, if the program's not in the allowed list, that is, in the library, it can't be run, and you can then check to make sure the user profile has the appropriate access to that program. Then you could do it running any program and you're secure again. From my understanding when I log on with client access to the AS/400 my user name and password are crossing the network unencrypted anyway, isn't that right? I had thought about that originally for another program that changed user passwords, but realized that these passwords were flying across the wire a mile a minute anyway. Perhaps I'm wrong, perhaps client access encrypts the password then sends the encrypted password to the AS/400 for validation, anyone know? Regards, Jim Langston Peter Dow wrote: > > Hi Jim, > > How about adding some security checking on the RPG sockets program, i.e. > before allowing just anyone to utilize its callpgm facility, check a userid > & password? Of course, then you'd have to get into secure sockets, but what > the heck, John wants to learn something new, right? > > Regards, > Peter Dow > Dow Software Services, Inc. > 909 425-0194 voice > 909 425-0196 fax > > From: "Jim Langston" <jimlangston@conexfreight.com> > > I think I see what you are trying to do. You want a generic TCP/IP > > program on the AS/400 that will listen to requests on a certain port, > > then accept the request, get the program name to run and the parameters, > > run the program, and pass the return parameters back to the socket. > > > snip < > > > Oh, cool, your AS/400 has this socket program to run programs and accept > > parameters. I'll just right a real quick socket program on a PC and have > > it run the API to change my authority, or create a new user profile with > > *ALLOBJ, or open up the FTP port so I can FTP in, or have it dump the > > QSYSOPR user profile so I can brute force the password or... You just > > blew security wide open. > > > +--- > > | This is the RPG/400 Mailing List! > > | To submit a new message, send your mail to RPG400-L@midrange.com. > > | To subscribe to this list send email to RPG400-L-SUB@midrange.com. > > | To unsubscribe from this list send email to RPG400-L-UNSUB@midrange.com. > > | Questions should be directed to the list owner/operator: > david@midrange.com > > +--- > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > +--- > | This is the RPG/400 Mailing List! > | To submit a new message, send your mail to RPG400-L@midrange.com. > | To subscribe to this list send email to RPG400-L-SUB@midrange.com. > | To unsubscribe from this list send email to RPG400-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: david@midrange.com > +--- -- Regards, Jim Langston Me transmitte sursum, Caledoni! +--- | This is the RPG/400 Mailing List! | To submit a new message, send your mail to RPG400-L@midrange.com. | To subscribe to this list send email to RPG400-L-SUB@midrange.com. | To unsubscribe from this list send email to RPG400-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
