Re: RPG easier/harder to use than other languages?

On 8 July 2017 at 08:33, Nathan Andelin <nandelin@xxxxxxxxx> wrote:

In our environment the profile that uses ODBC is authorised to the
stored procedures and only to the SPs.

Do any of your stored procedures call QCMDEXC?

No.

The database is owned by a separate profile.
The stored procedures are external LANGUAGE RPGLE.
The RPGLE programs are OWNER(database) USRPRF(*OWNER)
The underlying table/views are PUBLIC(*EXCLUDE).

Do you have any user profiles with *allobj authority?

Thank you for leading me through this so patiently. The scenario: I
have at least one *ALLOBJ user profile with a poor choice for a
password, the attacker has that, cracks the web server, and uses ODBC
to get at the database. Yes, that's bad.

Let's look at the same scenario with a web service communications
channel instead of ODBC. The web server has no ODBC, the attacker has
a *ALLOBJ password, and cracks the web server with a root escalation
attack. Now that she has root, she is free to install whatever
software she likes - including ODBC.

I'm not sure what you mean by the attack surface being the same for
presumably the IBM i HTTP Server - it doesn't provide any access to
QZDASOINIT Jobs - and any access to any other resource must be explicitly
configured - the default is for everything to be locked down.

Apache root escalation bugs appear all the time.
IBM make sure to fold these into our Apache. All the time.

I'm still not understanding where there is a significant difficulty
with securing ODBC vis-à-vis web services. I need to secure the
system with standard IBM i security anyway; the ODBC profile is just
one more that goes into the plan.

For my part, I'd be perfectly happy implementing the comms channel via
web services. I'm not arguing against that idea; I rather like it,
but the .NET team haven't broached the subject yet.
--buck