Dan,

>>I think I know the answer to this, but I need to ask.  If a program's
adopted authority is *OWNER and the owner is king-of-everything/*ALLOBJ
security officer, etc. etc., and that program updates a file that is owned
by PAYROLL user and has *PUBLIC *EXCLUDE on it, will the program still
update that file?<<

Yes it will.

>>To expand on Larry's example, if a program with adopted authority
provides no access to a command line, can we consider ourselves "safe"? In
such a case, what happens when a user is in the middle of such a program,
and hits the Attn key to pull up Operational Assistant, hits F9=Command
Line, is the user still operating under the adopted authority of the
program he was in?<<

You are safe in the one situation you asked about. Adopted authority is not
propagated to the programs that process the Attn key or system request key.
How safe you are depends on the skill and knowledge of the people that
developed and maintain the application that adopts its owners authority.
The best way to use adopted authority is to minimize the amount of
authority that is adopted and the length of time that it is adopted.

One of the obvious things to worry about when you must use adopted
authority are the other programs and commands that are invoked. One way to
avoid a Trojan horse situation is to fully library qualify the commands and
programs (including APIs) that the adopting program uses. And even if you
do this you may still have to worry about some of the exit programs that
are used by those interfaces. For example, if someone adds a validity
checking program (VCP) to a command used by the adopting program then the
VCP will be able to use that adopted authority. One way to minimize this
exposure is to set the QUSEADPAUT system value to not allow most users to
create programs that can accept propagated adopted authority.

Ed Fishel,
edfishel@US.IBM.COM




As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.