RE: QTEMP in LIBL (Was Re: OVRDBF problem or maybe itis earlyAlzheimer's

True, although there's quite a bit of setup to allow this sort of mechanism.  
Presumably, the job has to register itself in its initial program, set up a 
message queue, register a break handler, and so forth.  I suppose this could be 
installed as malware in a software product.....  All in all, QTEMP hardly seems 
like a convenient vector for malicious code....

Eric DeLong
Sally Beauty Company
MIS-Project Manager (BSG)
940-297-2863 or ext. 1863



-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of Tyler, Matt
Sent: Wednesday, July 12, 2006 3:57 PM
To: Midrange Systems Technical Discussion
Subject: RE: QTEMP in LIBL (Was Re: OVRDBF problem or maybe itis
earlyAlzheimer's


<snip>
Only the current job/user is able to see and work with the QTEMP library
for any given job, so that would seem to remove the security risk,
unless it is 
the current user that is causing the risk.
</snip>

This is not true.  I have a command I got off the web called RUNJOBCMD
that allows you to create a CL program that can run CRTDUPOBJ as if it
ran in that job's job stack and under that user profile.  

I use it to grab temporary data files in certain jobs. Other than that I
find no real use for this command. 

http://code.midrange.com/index.php?id=499277f699

RUNJOBCMD JOBNAME()             
          JOBUSER()                  
          JOBNUMBER()              
          COMMAND('call pgmt/$$$$$$$$$$')

While I think this is a small risk compared to Windows platforms, it
still exists. 


Thanks, Matt