SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - March 11, 2015 - The Command Line Restriction - Limited Capabilities

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i March 11, 2015 - Vol 5, Issue 3

	Feature Article The Command Line Restriction - Limited Capabilities By Dan Riehl - SecureMyi.com In speaking to many security analysts over the years, it is obvious that there is a BIG Disconnect on what the "Limited Capabilities" attribute of the user profile actually does. In this article, I hope to dispel these potentially dangerous misconceptions. In this March 11, 2015 issue of the SecureMyi Security Newsletter, the featured YouTube Video presents a video discussion of this important topic. What IS Limited Capabilities? System users can gain access to the IBM i shell command line through various IBM-supplied screens, including most IBM menus, the Work with Spooled Files (WRKSPLF) command display, the Work with User Jobs (WRKUSRJOB) command display, and numerous other commands and facilities. Allowing users to access a command line can be very dangerous; for example, you don't want users running commands like DLTF CUSTOMER, which would delete your Customer file. A user who has command line access can run any CL command that he or she is authorized to run at the command line interface. IBM allows you to control the ability of a user to run CL commands at a command line by specifying the LMTCPB(Limit Capabilities) attribute of the user profile. To create a user that has limited command line capabilities, you use the CRTUSRPRF(Create User Profile) command as shown here: *CRTUSRPRF... LMTCPB(YES)** The common misconception regarding users with limited capabilities( i.e. LMTCPB(YES) ) is that we think that these users cannot run any ad-hoc CL command, such as WRKSPLF* or DLTF CUSTOMER But, in reality, a user with limited capabilities CAN run CL commands using several methods which we will discuss in this article. Did you know that IBM ships certain CL commands with a special command attribute that specifies that Limited Capability users are allowed to run the command at a shell command line. These commands include: Sign Off (SIGNOFF) Send Message (SNDMSG) Display Messages (DSPMSG) Display Job (DSPJOB) Display Job Log (DSPJOBLOG) Work with Messages (WRKMSG) The Command Attribute ALWLMTUSR You can examine the command definition of a CL command using the command DSPCMD(Display Command). To examine the command DSPMSG(Display Message), you could use the following command. DSPCMD DSPMSG *Read More*
In This Issue Featured Article - Limited Capabilities Featured Video - Limited Capabilities Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor PowerTech Skyview Partners, Inc Silver Sponsor Cilasoft Security Solutions	IBM i Security Resources IBM i Security Videos - SecureMyi SecureMyi Newsletter Archives Search Security for IBM i IBM i Security Ref - 6.1 IBM i Security Ref - 7.1 QAUDJRN Entries By AUDLVL QAUDJRN Entry Layouts RedBook - Security Guide IBM i Open Security Foundation - DataLoss DB National Vulnerability Database - NIST PCI Data Security Standard COBIT - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification

Live Security Related Webcasts and Training for IBM i March Events Live Hands-On - Expanded Security Workshop for IBM i, iSeries & AS/400 with Dan Riehl Training Workshop - March 24-27 - Presented by The 400 School, Inc. Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - Expanded Control Language Programming Workshop with Dan Riehl Training Workshop - March 30-April 3 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend April Events Live Hands-On - IBM i, iSeries System Administration and Control Workshop with Dan Riehl Training Workshop - April 20-24 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend 2015 COMMON Conference and Expo - Anahein, CA COnference and Expo - April 26-29 More Information and Register to Attend
Featured YouTube Educational Video IBM i Security Misconceptions on User Limited Capabilities LMTCPB(*YES)


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2015 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017