|
>>It has been a VERY LONG TIME since PWRDWNSYS had *PUBLIC *USE authority. >>It was that way on S/38 CPF 8.0 and possibly for early OS/400 releases but >>IBM have shipped PWRDWNSYS with severe restrictions for a very long time Your right Simon, I did not realize that, thanks for pointing that out to me! Justin -----Original Message----- From: midrange-l-admin@midrange.com [mailto:midrange-l-admin@midrange.com] On Behalf Of Simon Coulter Sent: Thursday, September 05, 2002 7:40 PM To: midrange-l@midrange.com Subject: Re: PWRDWNSYS - Trivia Hello Justin, You wrote: >... First of all I would strip all authority from the PWRDWNSYS command so >that only QSECOFR could issue the command ... I'm not picking on you specifically. You were just the first to make this suggestion. It has been a VERY LONG TIME since PWRDWNSYS had *PUBLIC *USE authority. It was that way on S/38 CPF 8.0 and possibly for early OS/400 releases but IBM have shipped PWRDWNSYS with severe restrictions for a very long time. PWRDWNSYS is restricted to QSECOFR, any user with *ALLOBJ, and is specifically authorised to QSYSOPR. That's it! Oh, the security reference also says you also need *JOBCTL before you can run it. That's pretty secure. If your ordinary joe/janet users can run PWRDWNSYS then: a) Your users have far too much authority b) You are running at QSECURITY less than 30 c) You run some crappy ERP system that requires users to have *ALLOBJ and/or *JOBCTL -- think Just Don't Ever d) *PUBLIC have been specifically granted rights to PWRDWNSYS e) Your security officer is an idiot in which case you get what you deserve. IBM can't protect the fools from themselves. P.S. IT Managers are the bane of Operations. Someone recounted the annecdote of one intending to prompt PWRDWNSYS but presssing Enter. My idiot manager pressed the Load button on the S/38 (because the IPL was taking too long, or he liked the pretty colour of the Load button -- light sky blue as I recall, or something equally lame). We'd had a power failure, the system was on UPS, and had shutdown normally. I had dialled IPL on the rotary switches and had left it IPLing while I popped out for something. Foolishly, I had left the rotary switches where they were. Needless to say I always disabled the rotary switches immediately they had been used after that episode. The same manager also switched off a 9332 drive to 'prove' checksum worked which resulted in me buying a set of perspex power switch covers. He thought the system would keep running. Jeez! Regards, Simon Coulter. -------------------------------------------------------------------- FlyByNight Software AS/400 Technical Specialists http://www.flybynight.com.au/ Phone: +61 3 9419 0175 Mobile: +61 0411 091 400 /"\ Fax: +61 3 9419 0175 mailto: shc@flybynight.com.au \ / X ASCII Ribbon campaign against HTML E-Mail / \ -------------------------------------------------------------------- _______________________________________________ This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@midrange.com To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l or email: MIDRANGE-L-request@midrange.com Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
