1.  Home
  2. MIDRANGE-L
  3. December 1997

Re: Library List.

  • Subject: Re: Library List.
  • From: John Earl <johnearl@xxxxxxxxxx>
  • Date: Wed, 10 Dec 1997 22:22:41 -0800
 

At 09:39 PM 12/9/97 -0500, you wrote:
>"...for security reasons..."????? What security concerns would have you move
>these 2 system libraries to the bottom of the user list?
>

Walden,

For starters, prior to V3R7 both libraries came shipped with *PUBLIC
authority *CHANGE, which means that a body could add a program to this
library that would get invoked instead of some legitimate program.  This can
be a security exposure when you have any sort of security rules enforced by
a program (which is common).  A classic example would be the joe-programmer
that puts a near replica of the payroll program in QUSRSYS, with a minor
modification that enriches the programmer in some way.  When
Jane-payroll-clerk runs payroll, he calls joe-programmer's bogus version (by
virtue of it's place in the library list) and perfoms the dirty deed under
her own profile.  There are even simpler and more damaging versions of this
hack, but you get the idea.  Hacks like this can be difficult to detect.
I've worked at a couple of banks where all ad-hoc manipulations of the
library list were prohibited.  No ADDLIBLE, no CHGLIBLE, no CHGJOBD, etc.
Any program that had the ability to manipulate the library list was
scrutinized intensly.

It's kind of a new concept to those of us who grew up using and loving
library lists, but it is a fact of AS/400 security.

jte


>-Walden
>-----Original Message-----
>From: MCPARTLAND, Stan <stanley.mcpartland@bently.com>
>To: 'MIDRANGE-L@midrange.com' <MIDRANGE-L@midrange.com>
>Date: Tuesday, December 09, 1997 3:26 PM
>Subject: RE: Library List.
>
>
>>If my memory serves me right, QUSRSYS and QHLPSYS first showed up in
>>1988 on the AS/400.  They were not present on the S/38.  We have moved
>>both libraries to the bottom of the user portion of the library list
>>for security reasons.  Some third party software has difficulties with
>>this, especially in the installation routines.  They replace the user
>>portion of the library list and assume that QUSRSYS and QHLPSYS are in
>>the system portion of the library list.  As long as you are aware of
>>this and investigate before running the installation you should not
>>have any problems.
>>
>>Regards,
>>Stan
>>------------------------------------------
>>Stanley A. McPartland
>>Bently Nevada Corporation
>>1617 Water St; Minden, NV  89423  USA
>>Voice: (702) 782-9339  Fax: (702) 782-1382
>>E-mail: stanley.mcpartland@bently.com
>>------------------------------------------
>
>
>+---
>| This is the Midrange System Mailing List!
>| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
>| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
>| Questions should be directed to the list owner/operator: david@midrange.com
>+---
>umidr
>
>

--

John Earl       Lighthouse Software Inc.
8514 71st NW    Gig Harbor, WA 98335
253-858-7388    johnearl@lns400.com

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.