× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. SECURITY400
  3. August 2001

RE: Work with TCP/IP Interfaces: Start/End authority?

This is a multi-part message in MIME format.
--
[ Picked text/plain from multipart/alternative ]
Thanks to all who have replied.  I see that I'm going to have to change
my tag line *again*! (You know who you are, Simon!)  I concur with all,
ehhh, with most of what you've said, Simon.

The only way I knew to edit the authority to STRTCPIFC was that I
scanned the softcopy for "TCP/IP interface".  The Work with TCP/IP
Interfaces screen did not allow me to prompt the option and the options
help text had no mention of the command.  Maybe I got lucky with my
search.  Maybe I'll always be able to get good results with my searches.
Maybe not.

Oh, this gets better.  Since our seven AS/400s run on four different OS
levels (V3R2, V3R7, V4R3, & V4R4), I guess that means I should bookmark
four different Security Reference manuals.

>You require at least *USE authority in order to use ANY object (not
>counting the IFS which has its own rules).

<thunk to the head> Jeez, you'd think I'd read my own writing before
embarrassing myself.  PortToLongTermMemory: "You need *USE authority to
USE an object."  Port complete. <sigh>

I have no qualms about IBM tightening down the *PUBLIC use of commands.
The problem I have is finding out after the fact at 3 a.m. when our
friends across the great Atlantic pond can't run a command that I had no
idea they didn't have authority to.  But here, I start to wander from
the original topic.  So I'll end this one and start another thread.

- Dan
Dan Bale says "BAN DALE!"
IT - AS/400
Handleman Company
248-362-4400  Ext. 4952
D.Bale@Handleman.com
  Quiquid latine dictum sit altum viditur.
  (Whatever is said in Latin seems profound.)

-------------------------- Original Message --------------------------

> -----Original Message-----
> From: Simon Coulter [SMTP:shc@flybynight.com.au]
> Sent: Monday, August 20, 2001 8:48 PM
> To:   security400@midrange.com
> Subject:      RE: [Security400] Work with TCP/IP Interfaces: Start/End
> authority?
>
>
> Hello Ban Dan Bale Dale (one of those has to be correct :-),
>
> You wrote:
> >IBM:  Why do I have to play this game?  This is silly.  Where is this
> >documented?  How the h*ll can I administer a system if I'm doomed to
> >wait until after a user's attempt to use a function fails?
>
> The authorities for ALL XPF commands (and many of the LPP commands)
> are
> listed in an Appendix of the Security Reference manual -- which I see
> you
> eventually found.
>
> A cursory check of my system, which has lot's of IBM stuff installed,
> shows
> 1,767 commands in QSYS of which 1,403 have *PUBLIC *USE.  Most of
> those
> would have been shipped that way.  So most commands do allow public
> access.
> Many of those commands also require *IOSYSCFG (or some other) special
> authority for instance the various CFGTCPxxx commands.
>
> IBM ship commands that change the system, environment, or expose the
> system,
> with PUBLIC *EXCLUDE or require a special authority in order to
> protect you
> (and them from spurious accusations).  You must do something to
> reduce the security therefore they presume you know what you are
> doing.
>
> What most poeple do is make their operators, programmers, and
> administrators
> a member of the appropriate IBM-supplied profile (i.e., use QSYSOPR or
> QPGMR
> as a group profile).  I think that is wrong and you should create your
> own
> group profiles.  You can either duplicate the IBM ones or use the
> GRTUSRAUT
> command to give your group profiles they same object authority as the
> IBM
> ones.  Then you can remove sensitive commands from your group profiles
> and
> give them to only those people who really need them.
>
> You should decide the roles of your users, then check they have
> authority to
> the commands they need to fulfill that role.
>
> >I have what sounds like the same issue being discussed in a different
> >thread on this list.  It appears that commands generally (always?)
> >require *USE authority to be able to use them.  And the reason this
> >hasn't been an issue with most commands is that most commands are
> >shipped with *PUBLIC *USE (and not *EXCLUDE).
>
> You require at least *USE authority in order to use ANY object (not
> counting
> the IFS which has its own rules).
>
> Regards,
> Simon Coulter.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.