|
> -----Original Message----- > From: Lim Hock-Chai [mailto:Lim.Hock-Chai@xxxxxxxx] > Sent: Tuesday, November 16, 2004 9:33 AM > To: midrange-l@xxxxxxxxxxxx > Subject: security hole in interactive sql call statement? > > > We have a menu option that allow programmer to get into > interactive sql (STRSQL) on our production box. Our > production files are secured to only allow view only access > for programmers. This work well with the exception of the > call statement. > > Here is the problem: > Programmer user profile is set to Limit Capabilities *YES. > However, in STRSQL, he/she can actually do this to exec a > command: CALL qcmdexc('WRKACTJOB',000000009.00000) or call > any program. > > Is this a security hole on AS400? Nope, working as designed. > > Is there a way to lock down call statement in STRSQL? Don't know if an exit program exists, but if it does you could use that. > > thanks > > Repeat after me, "menu security" i.e. depending on a fixed set of menus and the LMTCAP(*YES) to restrict access is not a valid solution in today's environment. You need a properly designed and implemented security model using OS/400's object oriented security. If your programmers shouldn't be allowed to do a WRKACTJOB, then they shouldn't have authority to the WRKACTJOB command. HTH, Charles
This mailing list archive is Copyright 1997-2026 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
