|
Dan, >>I think I know the answer to this, but I need to ask. If a program's adopted authority is *OWNER and the owner is king-of-everything/*ALLOBJ security officer, etc. etc., and that program updates a file that is owned by PAYROLL user and has *PUBLIC *EXCLUDE on it, will the program still update that file?<< Yes it will. >>To expand on Larry's example, if a program with adopted authority provides no access to a command line, can we consider ourselves "safe"? In such a case, what happens when a user is in the middle of such a program, and hits the Attn key to pull up Operational Assistant, hits F9=Command Line, is the user still operating under the adopted authority of the program he was in?<< You are safe in the one situation you asked about. Adopted authority is not propagated to the programs that process the Attn key or system request key. How safe you are depends on the skill and knowledge of the people that developed and maintain the application that adopts its owners authority. The best way to use adopted authority is to minimize the amount of authority that is adopted and the length of time that it is adopted. One of the obvious things to worry about when you must use adopted authority are the other programs and commands that are invoked. One way to avoid a Trojan horse situation is to fully library qualify the commands and programs (including APIs) that the adopting program uses. And even if you do this you may still have to worry about some of the exit programs that are used by those interfaces. For example, if someone adds a validity checking program (VCP) to a command used by the adopting program then the VCP will be able to use that adopted authority. One way to minimize this exposure is to set the QUSEADPAUT system value to not allow most users to create programs that can accept propagated adopted authority. Ed Fishel, edfishel@US.IBM.COM
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.