John,

Didn't realize the swap profile API's would actually allow that, but have just tried and sure enough. Same with ADDJOBSCDE. I had expected ADDJOBSCDE to behave the same as SBMJOB, obviously not. Cat just got skinned...

Crispin.

----- Original Message ----- From: "John Earl" <john.earl@xxxxxxxxxxxxx>
To: "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Sent: Thursday, April 03, 2008 2:14 AM
Subject: RE: Anti-virus for i5OS


Forgive me if I'm wrong here, wouldn't be the first time, but
I thought the following applied, at least at security level 40...

For the purposes of this discussion of special authorities, QSECURITY
level 40 has little or no bearing.


You need at least *SECADM authority to change a user profile,
*ALLOBJ is not enough.

True. To the best of my knowledge, it has always been this way.

You can't submit a job as QSECOFR even if you do have
*ALLOBJ.
Hmm - I'm not sure if that is true - and I'm on an airplane now so I
can't test. But even if it is true, I know that you can use the profile
swap API's to become QSECOFR if you have at least *USE authority to
QSECOFR, and I believe that a user with *ALLOBJ can ADDJOBSCDE for the
user QSECOFR, so there are a number of ways to skin that cat.

jte

--

John Earl, VP and Chief Technology Officer
PowerTech: 253-872-7788
Direct: 253-479-1408
Mobile: 206-669-3336
John.Earl@xxxxxxxxxxxxx




Email is an excellent way to communicate material that is not time
sensitive. If your communication is of a more urgent nature, please
call.

===========================
This email message and any attachments are intended only for the use of
the intended recipient named above and may contain information that is
privileged and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message or by telephone and delete the
message from your email system. Thank you.


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Crispin Bates
Sent: Wednesday, April 02, 2008 7:54 AM
To: Midrange Systems Technical Discussion
Subject: Re: Anti-virus for i5OS

Forgive me if I'm wrong here, wouldn't be the first time, but
I thought the following applied, at least at security level 40...

You need at least *SECADM authority to change a user profile,
*ALLOBJ is not enough.

Message ID . . . . . . : CPF2292
Date sent . . . . . . : 04/02/08 Time sent . . . . .
. : 10:44:32

Message . . . . : *SECADM required to create or change user
profiles.

Special authority (SPCAUT) - Help

o The user profile creating or changing another user
profile must have all of the special authorities being
given. All special authorities are needed to give all
special authorities to another user profile.

o A user must have *ALLOBJ and *SECADM special
authorities to give a user *SECADM special authority
when using the CHGUSRPRF command.

o The user must have *ALLOBJ, *SECADM, and *AUDIT
special authorities to give a user *AUDIT special
authority when using the CHGUSRPRF command.

You can't submit a job as QSECOFR even if you do have
*ALLOBJ. What you can do is submit a job as another user who
has *SECADM, or *SECOFR, but that's an entirely different discussion.



> Sorry, but a user with *ALLOBJ can give themselves *AUDIT,
*IOSYSCFG,
> *JOBCTL, *SAVSYS, *SECADM and *SPLCTL. From "Expert's
Guide to OS/400
> and i5/OS Security", page 67:
>
> "For example, *ALLOBJ special authority gives a user
unlimited access
> to and control over ALL objects-a user with *ALLOBJ special
authority
> can perform any function on any object on your system."
>
> There is only a one step difference between a user with *ALLOBJ and
> QSECOFR, that of the user with *ALLOBJ going into their own profile
> and granting themselves the missing options. You can lock both
> *ALLOBJ users and QSECOFR out of certain sysvals by pushing
them up to
> SST level maintenance, but if you've given a user *ALLOBJ
you might as
> well have made them QSECOFR.
>
>> Do you want your new software package to adjust your
auditing level,
>> create a PPP connection and add a job schedule entry that
calls home
>> and reports **anything it wants** from your system? ABC Corp may
>> have just used "social engineering" to get you to install
your very
>> own iSeries virus!
>
> A totally false question. Who is going to say yes? The
point is that
> merely changing the user id used for installation from
QSECOFR to one
> with *ALLOBJ hasn't fixed anything. I can do anything with *ALLOBJ
> that I can do with QSECOFR. The user with *ALLOBJ has full
rights to
> the QSECOFR profile. If he doesn't, he can just grant
himself those rights.
>
> As hinted at above, you can push auditing values to SST
level, so that
> even QSECOFR can't change them. The point remains, *ALLOBJ is
> essentially no different from QSECOFR..........
>
>
> --
> This is the Midrange Systems Technical Discussion
(MIDRANGE-L) mailing
> list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
> unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting,
please take
> a moment to review the archives at
> http://archive.midrange.com/midrange-l.
>
>


--
This is the Midrange Systems Technical Discussion
(MIDRANGE-L) mailing list To post a message email:
MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change
list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting,
please take a moment to review the archives at
http://archive.midrange.com/midrange-l.



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.





As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.