Re: Commands for Limited Users

John - is this list commands they can execute from a command line, or the
total list of commands they can execute, even if the command is within
a clp program (assuming normal auth to the pgm, not adopted, and the program
executing under the authority of the user of the program, not the owner)?

can do on a command line.
Jim Franz

Sent: Tuesday, August 29, 2006 4:59 PM
Subject: Re: [Security400] Commands for Limited Users

Dave,

I'm reciting this from memory, so it may not be an exhaustive list, but
if I recall correctly there were somewhere around 8 commands shipped
with the operating system that are available to limited users.  Let's
see which ones I can remember, and then we'll see if others can chime in
with any I may have missed.

DSPJOB
DSPJOBLOG
DSPMSG
SIGNOFF
SNDMSG
STRPCO
WRKENVVAR
WRKMSG

Of these, SIGNOFF is virtually essential, and the three "DSP" and the
SNDMSG command are relatively inconsequential risk (assuming you are
doing appropriate tightening elsewhere, as you have said).  STRPCO is
risky, and probably completely unnecessary, and, absent a specific
reason to leave them open, the WRKENVVAR and WRKMSG could afford to be
restricted as well.

This list only includes commands that are allowed by Limited Capability
users as shipped from the factory.  You may have more OS commands or
application commands that have been opened to Limited Capability users
as well.  There is at least one commercial product (uh, why yes, that
would be a PowerTech product :) ) that will show you this list quickly
in a single report (and help you ensure that the list stays constant),
but I am not aware of any automated facility in the OS that will track
this parameter for you.

HTH,

jte


--
John Earl | Chief Technology Officer
The PowerTech Group
19426 68th Ave. S
Seattle, WA 98032
(253) 872-7788 ext. 302
john.earl@xxxxxxxxxxxxx
www.powertech.com
Celebrating our 10th Anniversary Year!



This email message and any attachments are intended only for the use of
the intended recipients and may contain information that is privileged
and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message, or by telephone, and delete
the message from your email system.
--

-----Original Message-----
From: security400-bounces@xxxxxxxxxxxx
[mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of
Turnidge, Dave
Sent: Tuesday, August 29, 2006 11:19 AM
To: Security Administration on the AS400 / iSeries
Subject: [Security400] Commands for Limited Users

I am trying to get a handle on security on our systems,
and have now
arrived at "Commands for Limited Users." I have an Excel
spreadsheet
which has all the commands in this category on our
systems.

First, I would like to know what are the commands for
limited users that
come with the system as shipped from IBM. Second, do you
agree with that
list? I.e., should there be ANY commands available to
limited users?

I await your reply.

Thank you,

Dave

_______________________________________________
This is the Security Administration on the AS400 / iSeries
(Security400) mailing list
To post a message email: Security400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the
archives
at http://archive.midrange.com/security400.

_______________________________________________

This is the Security Administration on the AS400 / iSeries (Security400) mailing list

To post a message email: Security400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/security400
or email: Security400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/security400.