1.  Home
  2. MIDRANGE-L
  3. February 2004

RE: Can We retire the QSECOFR userid?

Hi Rob

you asked first so I'll respond to you :)

The major difference I see is that QSECOFR is a published well known (yes, the hackers know it) profile.

My preference is to create QSECOFR class profiles and use those where required, as well as a QSYSOPR/QPGMR class profile for more general activities depending on what I am doing. I'd confess it's usually closer to QSECOFR and the operators get menus :)

All QSECOFR class profiles including QSECOFR have auditing turned on. Any activity on the unused profile is monitored.

The main reason I do this is that in the event that the SECOFR class profile is disabled, password forgotten or something happens there is a known profile with a recorded password available to get root access to the system. Better that some external party can ask for the QSECOFR password which is certain to have not changed as it has not been in general use.

How many people do you think religiously write down the QSECOFR password and store it immediately on changing it ? I'd be willing to bet that they think "I'll get to it later after I've finished my coffee" as people usually change their password first thing in the morning when they are forced to. All those who are highly disciplined exceptions to the rule need not correct me :)

If you have ever tried to break into a V5R2 system without QSECOFR because the only QSECOFR guy used it, changed it and forgot it you'll know what I mean. Even profile swapping will not work if you do not have another QSECOFR class profile *WITH* *SECADM. *ALLOBJ is not sufficient to swap to QSECOFR to allow you to reset the DST password (which has also been forgotten) to allow you to change the QSECOFR password.

If you have to create a complete QSECOFR copy to allow you to fix any QSECOFR problems best you create one and while your at it create a DST back door with all rights.

Regards
Evan Harris

Does anyone really see a difference between having the generic QSECOFR or
a generic MYSECOFR with the same authorities?  Granted, there are some
very limited applications where you must be QSECOFR, (ptf's ain't one of
them).  But does creating the MYSECOFR give you any additional security?
None that I can think of.  Oh, I suppose you could disable QSECOFR and
then a hack trying it would have a bear of a time getting in.  But, other
than that?  If so, why bother?

Rob Berendt




As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.