RE: Using QCMDEXC in an SQL SELECT statement Was: Disabled User Profiles -- MIDRANGE-L

one could execute CL commands directly out of SQL.

With QCMDEXC defined as a function one could run CL commands out of SQL.

As long as the UDF QCMDEXC is unique to your shop then that is fine.

Others may have it, but it is not part of the OS.

If you are certain that the QCMDEXC will only ever be run by you then

that is fine.
No, I am not sure. But, do I secure all exit points that they could run
CL commands? No. For example, if you had a person at your shop run from
their PC DOS prompt
RMTCMD DLTF QUSRSYS/CUSTCDT
Are you sure they wouldn't be able to? Test it with
RMTCMD DSPFD QUSRSYS/CUSTCDT OUTPUT(*PRINT)
The point is, if one hole is open already, then the UDF is just another
hole. You're better off with object security than by playing whack-a-mole
with all the holes.

If you are certain that no one will be able to run SQL in your shop as

*SECADM except trusted resources, then that is fine.
Yes, I am reasonably confident in that. I do not pour over all the code
of CL programs owned by QSECOFR though.

For the record, I am all for code and utilities that make our jobs

easier.

Your use of UDFs is creative and aggressive.

Thank you.

Rob Berendt

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.