|
On 8 July 2017 at 08:33, Nathan Andelin <nandelin@xxxxxxxxx> wrote:
In our environment the profile that uses ODBC is authorised to the
stored procedures and only to the SPs.
Do any of your stored procedures call QCMDEXC?
No.
The database is owned by a separate profile.
The stored procedures are external LANGUAGE RPGLE.
The RPGLE programs are OWNER(database) USRPRF(*OWNER)
The underlying table/views are PUBLIC(*EXCLUDE).
Do you have any user profiles with *allobj authority?
Thank you for leading me through this so patiently. The scenario: I
have at least one *ALLOBJ user profile with a poor choice for a
password, the attacker has that, cracks the web server, and uses ODBC
to get at the database. Yes, that's bad.
Let's look at the same scenario with a web service communications
channel instead of ODBC. The web server has no ODBC, the attacker has
a *ALLOBJ password, and cracks the web server with a root escalation
attack. Now that she has root, she is free to install whatever
software she likes - including ODBC.
I'm not sure what you mean by the attack surface being the same for
presumably the IBM i HTTP Server - it doesn't provide any access to
QZDASOINIT Jobs - and any access to any other resource must be explicitly
configured - the default is for everything to be locked down.
Apache root escalation bugs appear all the time.
IBM make sure to fold these into our Apache. All the time.
I'm still not understanding where there is a significant difficulty
with securing ODBC vis-à-vis web services. I need to secure the
system with standard IBM i security anyway; the ODBC profile is just
one more that goes into the plan.
For my part, I'd be perfectly happy implementing the comms channel via
web services. I'm not arguing against that idea; I rather like it,
but the .NET team haven't broached the subject yet.
--buck
--
This is the RPG programming on the IBM i (AS/400 and iSeries) (RPG400-L)
mailing list
To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/rpg400-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.