Set up a user profile that calls the command ENDPASTHR - and you're

outta there...



User profile . . . . . . . . . . > ENDPASTHR     Name



User password  . . . . . . . . .   *SAME         Character value,
*SAME,

*NONE

 

[jte] <snip>

 

Initial program to call  . . . .   ENDPASTHR     Name, *SAME, *NONE



 Library  . . . . . . . . . . .     *LIBL       Name, *LIBL, *CURLIB



Initial menu . . . . . . . . . .   *SIGNOFF      Name, *SAME, *SIGNOFF



 Library  . . . . . . . . . . .                 Name, *LIBL, *CURLIB



Limit capabilities . . . . . . .   *NO           *SAME, *NO, *PARTIAL,

*YES

 

In light of Al's excellent suggestion to use ' 132', I would recommend
retiring this 'ENDPASTHR' profile with its default password.   Looking
at the profile I see a number of problems with it that open your system
to attack.

 

1.    ENDPASTHR user has a default password.  I assume this is so that
multiple people can use this capability.  This, however, violates the
rule of having each person signon with their own User ID so that all
actions are separately traceable.  Someone might argue that no-one can
do anything with this profile other than ENDPASTHR, but...

2.    ...As Rob pointed out, the profile is not limited capability,
allowing anyone using it to modify the initial program or initial menu.
This allows someone to signon to your system with this profile and
receive a command line, and access to anything *PUBLIC has access to.

3.    The initial program is not qualified to a library - so even after
you change the user id to LMTCPB(*YES), a clever programmer or operator
could place another program called 'ENDPASTHR' higher in the library
list than this program (Where?  hint: does *PUBLIC have *CHANGE rights
to QSYS?) and cause the signon process to call their program rather than
yours.

4.    The default password would also give anyone access to the system
through interfaces that do not use the QDSIGNON screen.  FTP, ODBC, and
remote command are three simple interfaces that come to mind.  Once
signed on, the ENDPASTHR user would have access to anything that *PUBLIC
has access to.

5.    Surely there are more hacks than this with a default profile -
these are just those that I can easily remember.  

 

Shared profiles are just a bad idea all the way around.  They tend to be
unaccountable and often not traceable, and because the passwords are
shared, the password distribution tends to grow dramatically over the
life of the profile (A user's attitude can be "Hey - if it's a shared
profile, why should it matter if I tell someone else what the password
is?").

 

jte

 

 

--

John Earl, VP and Chief Technology Officer

PowerTech:   253-872-7788

Direct:          253-479-1408

John.Earl@xxxxxxxxxxxxx

 

 

 

First Annual PowerTech Customer User Group - iNSIGHT '07 -- March 4-6,
2007 in Las Vegas, NV

iNSIGHT '07 is the only conference focused on System i security and
compliance issues.  

Learn more! www.powertech.com/insight.asp

 

===========================

This email message and any attachments are intended only for the use of
the intended recipient named above and may contain information that is
privileged and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message or by telephone and delete the
message from your email system. Thank you.

 

 


As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.