RE: ALL I/O in single module was(ARGH!!! (was file open with LR))

[rob@xxxxxxxxx]

And what would restrict the public from being able to call the I/O module? 
 Security-by-obscurity?

Rob Berendt
-- 
"They that can give up essential liberty to obtain a little temporary 
safety deserve neither liberty nor safety." 
Benjamin Franklin 




"Joe Pluta" <joepluta@xxxxxxxxxxxxxxxxx> 
Sent by: rpg400-l-bounces@xxxxxxxxxxxx
11/17/2003 03:03 PM
Please respond to
RPG programming on the AS400 / iSeries <rpg400-l@xxxxxxxxxxxx>


To
"'RPG programming on the AS400 / iSeries'" <rpg400-l@xxxxxxxxxxxx>
cc

Subject
RE: ALL I/O in single module was(ARGH!!! (was file open with LR))






> From: rob@xxxxxxxxx
> 
> >From a strictly security standpoint I don't see how an I/O module
with a
> firewall trigger improves upon just using the constraints and triggers
> themselves.  Securitywise, what can be done in an I/O module that
couldn't
> be done in the trigger itself?

With an I/O module, it can adopt the authority to update the file, and
thus it becomes the ONLY way to access the file.  You only give the user
the authority to the I/O module, not the file.  Without this capability,
you have to grant authority to the file to the user, which means they
can then use UPDDTA or whatever other means at hand to update the file.

In order to prevent this unauthorized access in a trigger program you'd
have to have a table of users to determine which users can access which
file - in essence you'd have to recreate OS/400 security.

Joe

_______________________________________________
This is the RPG programming on the AS400 / iSeries (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/rpg400-l.