1.  Home
  2. MIDRANGE-L
  3. November 2003

Re: Not a security person but.

I thought that since they had *IOSYSCFG that that was the reason they were 
able to change another profile to have. Bacause I know that is all EXODUS 
had I copied from profile straight to post in original email. Also know 
they were not in any kind of group EXODUS could have gotten that power 
from. Strange, I'll play with it and see if I why if that is the case. 
I know it worked because that is how I got the server to run. It software 
require QSECOFR or QSECOFR group and *IOSYSCFG. BHOPKINS was in QSECOFR 
group but did not have *IOSYSOFR. That is why I barrowed from EXODUS.

Thanks for your help
Bill Hopkins





rob@xxxxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 01:44 PM
Please respond to Midrange Systems Technical Discussion

 
        To:     Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
        cc: 
        Subject:        Re: Not a security person but.


Correction should NOT have had...

Rob Berendt
-- 
"They that can give up essential liberty to obtain a little temporary 
safety deserve neither liberty nor safety." 
Benjamin Franklin 




rob@xxxxxxxxx 
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 01:29 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc

Subject
Re: Not a security person but.






According to the help on CHGUSRPRF EXODUS should have had enough authority 


to change  BPHOPKINS and add *IOSYSCFG.  Granted they did have *ALLOBJ, 
but they didn't have *SECADM:

Restrictions: 
 
  1.  You must have *SECADM special authority, and *OBJMGT and *USE
      authorities to the user profile being changed to specify this
      command. 
 
  2.  You must have *USE authority to any of the following if 
      specified: the current library, program, menu, job 
      description, message queue, print device, output queue, and 
      ATTN key handling program. 

Rob Berendt
-- 
"They that can give up essential liberty to obtain a little temporary 
safety deserve neither liberty nor safety." 
Benjamin Franklin 




"Bill Hopkins" <BHopkins@xxxxxxxxxxxxxxxxxxx> 
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 11:45 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc

Subject
Re: Not a security person but.






As BHOPKINS I did not have *IOSYSCFG but I had the ability to change 
EXODUS user's password and removed *signoff. I was then able to signon as 
EXODUS and change BHOPKINS to have *IOSYSCFG. Which BHOPKINS was not 
suppose to have.  my profile was BHOPKINS below.  Was trying to show to 
the Ops Manager why they should not have *secofr or *secadm unless needed. 



His thought was that since he did not give them *IOSYSCFG that they could 
not do those things. I was showing otherwise. But I'm not sure what would 
be be go security set up to group/limit these people. Probably just need 
to do some reading tonight.

Sorry Rob I think about 20 pages ahead of what I type, it doesn't always 
come out as clear as talking. Hell sometimes that doesn't even work right. 



lol 

Hope that is clearer.
Bill Hopkins 





rob@xxxxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 11:10 AM
Please respond to Midrange Systems Technical Discussion

 
        To:     Midrange Systems Technical Discussion 
<midrange-l@xxxxxxxxxxxx>
        cc: 
        Subject:        Re: Not a security person but.


You left me a little confused:
EXODUS had *ALLOBJ and had *IOSYSCFG and initial menu of *SIGNOFF.
Then you changed EXODUS, with your special id, and gave them a password 
and removed their initial menu of *SIGNOFF.
This person was able to sign on and change what?  You said they gave 
themselves *IOSYSCFG.  However, by your writing, it looks like they 
already had it.

Rob Berendt
-- 
"They that can give up essential liberty to obtain a little temporary 
safety deserve neither liberty nor safety." 
Benjamin Franklin 




"Bill Hopkins" <BHopkins@xxxxxxxxxxxxxxxxxxx> 
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/14/2003 10:48 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
MIDRANGE-L@xxxxxxxxxxxx
cc

Subject
Not a security person but.






This is what I was able to do:

My profile 
*SECOFR 
*ALLOBJ 
*JOBCTL 
*SECADM 
*SERVICE
*SPLCTL 
has init pgm and menu.

EXODUS server profile
*ALLOBJ 
*IOSYSCFG 
has *signoff

I changed EXODUS to have new password the changed to 
have init pgm and menu. I then signon as EXODUS and changed my profile 
to have *IOSYSCFG special authority. Signed back on and started my own 
server.

What should I suggest to the Ops Manager to correct this work around? 
Besides just changing my profile :) Others are out there like this( mainly 





contractors ) and I'm 
afraid they might come back after they leave. Should I voice my concern or 





is there one.
Client did know of my actions so I wasn't doing this in the dark just 
showing it to him. But my knowledge is limited in 
this side of things what direction should he go.

Thanks 
Bill Hopkins
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.