Misconceptions of Command Line Access and Limited Capabilities Users
By Dan Riehl
System users can gain access to the IBM i shell command line through various IBM-supplied screens, including most IBM menus, the Work with Spooled Files (WRKSPLF) command display, the Work with User Jobs (WRKUSRJOB) command display, and numerous other commands and facilities.
Allowing users full command-line access is dangerous; for example, you don't want users running commands like DLTF CUSTOMER, which would delete your production customer file. A user who has command line access can run any CL command that he or she is authorized to run.
IBM allows you to control the ability of a user to run CL commands at a command line by specifying the LMTCPB(Limit Capabilities) attribute of the user profile. To create a user that has limited command line capabilities, you use the CRTUSRPRF(Create User Profile) command as shown here:
CRTUSRPRF... LMTCPB(*YES)
The common misconception regarding users with limited capabilities( i.e. LMTCPB(*YES) ) is that we think that these users cannot run any ad-hoc CL command, such as
WRKSPLF
or
DLTF CUSTOMER
But, in reality, a user with limited capabilities CAN run selected CL commands when provided with a command line. IBM ships certain CL commands with a special command attribute that specifies that limited capability users are allowed to run the command at a command line.
These commands include:
- Sign Off (SIGNOFF)
- Send Message (SNDMSG)
- Display Messages (DSPMSG)
- Display Job (DSPJOB)
- Display Job Log (DSPJOBLOG)
- Work with Messages (WRKMSG)
- Work with Environment Variables (WRKENVVAR)
The Command Attribute ALWLMTUSR
You can examine the command definition of a CL command using the command DSPCMD(Display Command). To examine the command DSPMSG(Display Message), you could use the following command.
DSPCMD DSPMSG
On the resulting display you will see that the command attribute named ALWLMTUSR (Allow Limited Users) is set to the value *YES. This setting means that the DSPMSG command can be used by Limited Capabilities Users from the command line. All of the commands in the list above are shipped from IBM with that value for ALWLMTUSR. All other CL commands are shipped as ALWLMTUSR(*NO), prohibiting the use of the commands from the command line by Limited Capabilities users.
Each CL command contains the ALWLMTUSR attribute, but almost all commands have the attribute set to *NO, meaning "Do Not allow Limited Capabilities Users to run the command at a command line." This is the system's default value for all newly created commands. But, as a system administrator, you can change any CL command that can be run at the command line to allow limited users to also run the command at the command line. This change is accomplished using the CL command CHGCMD(Change Command), as in the following example:
CHGCMD CMD(WRKSPLF) ALWMLMTUSR(*YES)
Running this command changes the CL command WRKSPLF(Work with Spooled Files) to Allow Limited Capabilities users to run this command at a command line.
Often third-party software will install new CL commands that are set to allow limited users to run the commands. It's wise to examine any newly created commands to make sure that limited users cannot run the new commands.
Bypass the rules with Remote Command and SQL
In addition to being able to run CL commands that specify ALWLMTUSR(*YES), a user can run any command he or she is authorized to run by using the IBM i Access for Windows Remote Command facility. From a PC command prompt, the user can run any authorized CL command using the MS/Windows executable Remote Command(rmtcmd.exe) which is installed with IBM i Access for Windows. The rmtcmd.exe is the MS/Windows client executable that interfaces with the IBM i Remote Command Host Server. Figure 1 shows an example of running a CL command using rmtcmd.exe (in red) and the Remote Command Host Server's response to the CL command (also in red).
Figure 1 Running a CL command via rmtcmd.exe in IBM i Access for Windows
In this example, a user with Limited Capabilities has just run the CRTLIB(Create Library) command to create the HACKER library.
The rmtcmd.exe completely ignores the Limit Capabilities attribute of the user profile and therfore allows any user to run any command he or she is authorized to run. Since the rmtcmd.exe is installed on PCs when installing IBM i Access for Windows, and since it is an integral part of the package, the activity of the Remote Command Host Server should be logged and controlled using a server Exit Program.
See my article on Exit Programs. Using an Exit program would allow you to reject this type of activity, and log the attempted breach of your system security.
Another method that can be used to run ad-hoc CL commands by users with Limited Capabilities is through ODBC using a remote program call, as in:
CALL QCMDEXC ('DLTF MYFILE' 11)
QCMDEXC is a documented IBM supplied API that processes CL command requests. As you can see, this program is invoked by sending parameters of the CL command to execute and the command length. Here a Limited Capabilities user deletes the file named MYFILE.
The Take Aways
The Limited capabilities attribute of the user profile is not a general restriction on running ad-hoc CL commands. It limits only which CL commands a user may run from a command line.
The CL commands of Limited Capabilities Users are only limited by the user's permissions when using rmtcmd.exe or an ODBC call to QCMDEXC.
About the Author
Dan Riehl is the Editor of the SecureMyi Security Newsletter and a Security Specialist for the
IT Security and Compliance Group, LLC.
Dan performs IBM i security assessments and provides security consulting, remediation, forensic evaluations, and other customized security
services for his clients. He also provides training in all aspects of IBM i security and other technical areas through The 400 School, Inc.
Dan Riehl on LinkedIn
|