Re: Security Routines - bind by copy? (wasRE: Questionabout serviceprograms) -- RPG400-L

Subject: Re: Security Routines - bind by copy? (wasRE: Questionabout serviceprograms)
From: David Gibbs <david@xxxxxxxxxxxx>
Date: Fri, 01 Aug 2008 13:13:02 -0500
List-archive: <http://archive.midrange.com/rpg400-l>
List-help: <mailto:rpg400-l-request@midrange.com?subject=help>
List-id: RPG programming on the AS400 / iSeries <rpg400-l.midrange.com>
List-post: <mailto:rpg400-l@midrange.com>
List-subscribe: <http://lists.midrange.com/mailman/listinfo/rpg400-l>, <mailto:rpg400-l-request@midrange.com?subject=subscribe>
List-unsubscribe: <http://lists.midrange.com/mailman/listinfo/rpg400-l>, <mailto:rpg400-l-request@midrange.com?subject=unsubscribe>

Scott Klement wrote:

But even if a program hard-codes the library name (instead of *LBIL)
you could easily replace the security service program with one of
your own, and bypass security that way.

You could even rename the existing srvpgm, put your own code in it's
place, and have your code call the original one.

Replacing or renaming an existing object is probably harder than putting a new object higher on the library list. One would assume the existing object is secured so it can't be changed in a production environment. Creating a new object and putting it higher on the library list isn't going to be nearly has hard.

david

As an Amazon Associate we earn from qualifying purchases.

Follow-Ups:

Re: Security Routines - bind by copy? (wasRE: Questionabout serviceprograms) , Scott Klement

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.