|
Sorry, John, I've been at iSeries DevCon all week speaking. Nine sessions in three days, and there's not a lot of time left over for email <grin>. I'm pretty comfortable with what you've related. Averages are averages, and there are some pretty stinky machines out there that skew the averages a bit. At the same time, there are some issues.
And Third, relative to the JOBD exploit at QSECURITY level 30 and 40, if you have a JOBD with a user ID attached (Such as QGPL/QBATCH, which has QPGMR attached), and you are at QSECURITY level 30, and the user has *USE authority to just the JOBD, the user could submit a job as user QPGMR. At QSECURITY level 40 or 50 the user needs not only *USE authority to the JOBD, but also *USE authority to the user ID QPGMR in order to submit a job as QPGMR. That is a pretty significant difference between level 30 and higher.
I understand your point; that's probably why QBATCH is shipped without *PUBLIC use authority. But the knee-jerk reaction is to give QBATCH *USE access to everyone (because everybody needs to submit jobs!), and that opens up the hole. To be fair, it's not a huge hole; I don't know how many people give QPGMR dangerous authority. But it's certainly a hole. The pointer issue is a bigger one. I've proofed the MI exploit, but I've never done it using RPG. I don't want to know the code, but have you actually managed to get this to work via RPG? Joe
This mailing list archive is Copyright 1997-2026 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
