1.  Home
  2. MIDRANGE-L
  3. November 2003

Re: Not a security person but.

According to the help on CHGUSRPRF EXODUS should have had enough authority 
to change  BPHOPKINS and add *IOSYSCFG.  Granted they did have *ALLOBJ, 
but they didn't have *SECADM:

Restrictions: 
 
  1.  You must have *SECADM special authority, and *OBJMGT and *USE
      authorities to the user profile being changed to specify this
      command. 
 
  2.  You must have *USE authority to any of the following if 
      specified: the current library, program, menu, job 
      description, message queue, print device, output queue, and 
      ATTN key handling program. 

Rob Berendt
-- 
"They that can give up essential liberty to obtain a little temporary 
safety deserve neither liberty nor safety." 
Benjamin Franklin 




"Bill Hopkins" <BHopkins@xxxxxxxxxxxxxxxxxxx> 
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 11:45 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc

Subject
Re: Not a security person but.






As BHOPKINS I did not have *IOSYSCFG but I had the ability to change 
EXODUS user's password and removed *signoff. I was then able to signon as 
EXODUS and change BHOPKINS to have *IOSYSCFG. Which BHOPKINS was not 
suppose to have.  my profile was BHOPKINS below.  Was trying to show to 
the Ops Manager why they should not have *secofr or *secadm unless needed. 

His thought was that since he did not give them *IOSYSCFG that they could 
not do those things. I was showing otherwise. But I'm not sure what would 
be be go security set up to group/limit these people. Probably just need 
to do some reading tonight.

Sorry Rob I think about 20 pages ahead of what I type, it doesn't always 
come out as clear as talking. Hell sometimes that doesn't even work right. 

lol 

Hope that is clearer.
Bill Hopkins 





rob@xxxxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 11:10 AM
Please respond to Midrange Systems Technical Discussion

 
        To:     Midrange Systems Technical Discussion 
<midrange-l@xxxxxxxxxxxx>
        cc: 
        Subject:        Re: Not a security person but.


You left me a little confused:
EXODUS had *ALLOBJ and had *IOSYSCFG and initial menu of *SIGNOFF.
Then you changed EXODUS, with your special id, and gave them a password 
and removed their initial menu of *SIGNOFF.
This person was able to sign on and change what?  You said they gave 
themselves *IOSYSCFG.  However, by your writing, it looks like they 
already had it.

Rob Berendt
-- 
"They that can give up essential liberty to obtain a little temporary 
safety deserve neither liberty nor safety." 
Benjamin Franklin 




"Bill Hopkins" <BHopkins@xxxxxxxxxxxxxxxxxxx> 
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 10:48 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
MIDRANGE-L@xxxxxxxxxxxx
cc

Subject
Not a security person but.






This is what I was able to do:

My profile 
*SECOFR 
*ALLOBJ 
*JOBCTL 
*SECADM 
*SERVICE
*SPLCTL 
has init pgm and menu.

EXODUS server profile
*ALLOBJ 
*IOSYSCFG 
has *signoff

I changed EXODUS to have new password the changed to 
have init pgm and menu. I then signon as EXODUS and changed my profile 
to have *IOSYSCFG special authority. Signed back on and started my own 
server.

What should I suggest to the Ops Manager to correct this work around? 
Besides just changing my profile :) Others are out there like this( mainly 



contractors ) and I'm 
afraid they might come back after they leave. Should I voice my concern or 



is there one.
Client did know of my actions so I wasn't doing this in the dark just 
showing it to him. But my knowledge is limited in 
this side of things what direction should he go.

Thanks 
Bill Hopkins
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.