|
Well, isn't THAT special. We just went through a change making all programs that are submitted to adopt the owner's authority. So far so good. However, what is not so good is the "outdated" comment. Could you go into a little bit of detail about what you have done to not need adoption. I'm would like to picture what kind of effort would be required to accomplish what it is you are talking about. -----Original Message----- From: security400-bounces@xxxxxxxxxxxx [mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of David Morris Sent: Thursday, September 07, 2006 12:30 PM To: Security Administration on the AS400 / iSeries Subject: Re: [Security400] Commands for Limited Users Phil, Adopted authority is nearly as outdated as limited capability. It doesn't work well with triggers or IFS files and is incompletely implemented. Adoption is ineffective in exits but based on your message you may have overcome some of the limitations I have run up against. The biggest reason to avoid adoption is that it is often implemented incorrectly and is frequently the source of serious security problems. A few years back, I started using a technique that gives similar function by swapping in or setting effective groups and supplemental groups. --David Morris -----Original Message----- From: security400-bounces@xxxxxxxxxxxx [mailto:security400-bounces@xxxxxxxxxxxx] On Behalf Of Phil Ashe Sent: Thursday, September 07, 2006 10:09 AM To: Security Administration on the AS400 / iSeries Subject: Re: [Security400] Commands for Limited Users John: ...I have three basic problems with LMTCPB and commands. 1) It's obsolete in that it hasn't been updated to check commands in newer interfaces. [limited scope] 2) It's checked after the user has already been determined to have object authority to the command. 3) It's difficult to find the LMTCPB "violations". They aren't placed in the system audit journal. [more obsolescence] ...I would use adopted authority for access through the expected application interfaces and use proxy commands to limit the use of EDTF or DFU to well-defined views of the data, then take away the data rights to the file. The object authority is still checked on the remote server interfaces. If you need access to the file from one or more remote servers, you can use exit programs to give you this authority... Phil Ashe _______________________________________________ This is the Security Administration on the AS400 / iSeries (Security400) mailing list To post a message email: Security400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/security400 or email: Security400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/security400.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.