• Subject: Re: COMMAND AUTHORITY LOGIC
  • From: "Neil Palmer" <neilp@xxxxxxxxxxx>
  • Date: Tue, 12 Dec 2000 00:26:58 -0500


Well, the official answer is - you don't.  There may be a few individuals who could change that back, but I don't think they would want to spread that knowledge around.

If you tried to restore the individual object from a SAVSYS backup you would end up having to patch the system entry point table to refer to the restored object instead of the original one.  Not as complicated as changing the program to system state, but not something you probably want to attempt, or I would want to encourage.

SO, that leaves option 3.  You put the original command back by doing a SLIP install of the operating system.
- Manual IPL
- At selection screen, Install Operating System
- If restored from IBM CD's (and not your own SAVSYS taken after you last applied PTF's), reapply latest PTF cum package and any other individual PTF's you have applied.

If I were you, I would just live with your circumvention (granting Use authority to Public) until you resolve the situation by upgrading to a new release.
Would be interesting to see if someone doing a security audit could spot it !  :-)

...Aloha

Neil Palmer      DPS Data Processing Services Canada Ltd.
50 Acadia Avenue, Ste.102                   AS/400~~~~~
Markham, Ontario, Canada.   ____________          ___  ~    
Phone:(905) 474-4890 x303   |OOOOOOOOOO| ________  o|__||=  
Cell.:(416) 565-1682 x303   |__________|_|______|_|______)  
Fax:  (905) 474-4898         oo      oo   oo  oo   OOOo=o\  
mailto:NeilP@DPSlink.com  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.DPSlink.com     iSeries 400  The Ultimate Business Server



"oludare" <oludare@ix.netcom.com>
Sent by: owner-midrange-l@midrange.com

2000/12/11 13:06
Please respond to MIDRANGE-L

       
        To:        "AS/400 Midrange Usergroup" <MIDRANGE-L@midrange.com>
        cc:        
        Subject:        Re: COMMAND AUTHORITY LOGIC


Neil,

How do I change the parameter "State used to call program" from *USER to
*SYSTEM.  The parm only shows when a DSPOBJ is issue on QLICHLIB.

Thanks

Oludare

----- Original Message -----
From: "John Earl" <
johnearl@400security.com>
To: <
MIDRANGE-L@midrange.com>
Sent: Friday, December 08, 2000 3:56 PM
Subject: Re: COMMAND AUTHORITY LOGIC


> I believe this issue arises when you modify a system domain object
> (the CHGLIBL command).  When you modify it, the command becomes
> "user domain" and is no longer eligble to directly reference a
> system state program.
>
> You can verify this if you have QAUDJRN turned on.  Look for
> Journal Code "T" and journal type "AF".  Then scan the first byte
> of the data structure for the violation code of either "C" or
> "D".  If you find these litter uglies, then I've correctly
> diagnosed the problem.
>
> However, all of this assumes that you're at QSECURITY level 40 or
> 50.  If you're not, then I'm dead wrong.  :)
>
> jte
>
> oludare wrote:
>
> > Hey guys, I am on OS400 V4R3M0 Current CUM. I ran into a problem
> > this morning when I changed an IBM object CHGLIBL command. I
> > change the parameter call "program to process the command", by
> > mistake, and change it back to what it was but users ran into
> > problem with "Not authorized to QLICHLIB program".  The program
> > authority for users is *EXCLUDE before and after the change.  In
> > the end, I had to change QLICHLIB to PUBLIC *USE for them to
> > have access again. Question: How did user gain access to
> > QLICHLIB prior to the change.



As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.