× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Can you assign the group profile as a "supplemental group" of the user profile? Or is that giving the user too much access?

If you want to use adopted authority, you'll probably have to do a profile swap. The 'profile handle' APIs will respect adopted authority, allowing you to swap to a profile that you might not have had authority to without adopting.

But, if you do profile swapping, you need to be very careful that your application can not exit without swapping back (else the user can keep the elevated authority) and also that someone cannot simply open your program in STRDBG and change variables so that they can keep the elevated authority... etc, etc.

-SK

On 10/9/2013 1:57 PM, Justin Taylor wrote:
OK, so I got it to work with one major caveat. Since qsysetegid does not seem to respect adopted authority, every user who will need to run this must have *USE authority to the user profile used for the effective GID.

The 3027 error was my fault. I guess I didn't actually grant my test user *USE authority to the GID profile. Once I got that fixed, I got a 3440. That turned out to be because my test user had OWNER(*GRPPRF) in its user profile.

I'm still not happy about having to give out *USE on the GID user profile.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.