SecureMyi.com Security and Systems Management Newsletter for the IBM i                 October 9, 2013 - Vol 3, Issue 37
Security from SecureMyi.com


Security Study



iSecurity from SEA



Security? See how SKYVIEW PARTNERS can help!

Feature Article

Library and Object Vulnerabilities When Using

Adoption of Authority and Swap User Profile APIs

By Dan Riehl - SecureMyi.com

Each job has an associated list of libraries called the job's library list or, as is often seen, *LIBL. When an object is requested during the job, the library list is searched, in order, to locate the object. There are several distinct portions of the library list: the System Portion, The Current Library, the Product Portion and the User Portion.

You can see the library list for your current job by using the command DSPLIBL (Display Library List), as shown here.

                       Display Library List                              
                                                       System:   SECUREMYI 
                                                                                
  Type options, press Enter.                                                     
   5=Display objects in library                                                 
                                                                                
  Opt       Library          Type    Text                                                
   _        ALTQSYS          SYS     Alternate QSYS library            
   _        QSYS             SYS     System Library                                      
   _        QSYS2            SYS     System Library for CPI's                            
   _        QHLPSYS          SYS                                                           
   _        QUSRSYS          SYS                                                           
   _        QPDA             PRD                                                           
   _        DRIEHL           CUR     Dan Riehl test library                              
   _        QGPL             USR     General Purpose Library                             
   _        QTEMP            USR

The libraries in the System Portion (SYS) are controlled by the system administrator and are stored as the System Value QSYSLIBL. The Current Library (CUR) is specified in the User Profile of the user who started the job and can be changed dynamically by using the command CHGCURLIB (Change Current Library). The Product Portion (PRD) is dependent on applications that are currently running, and as such is dynamic within the job. The User Portion (USR) is controlled by the System Value QUSRLIBL but is often overridden by a Job Description or initial program that sets the User Portion as needed for the application.

Changing the Library List

There are many commands that are used to manipulate the library list. You can add and remove libraries by using CL commands such as EDTLIBL (Edit Library List), ADDLIBLE (Add Library List Entry) and RMVLIBLE (Remove Library List Entry).

Authority to Libraries on the Library List

When a job starts, the initial library list for the job is loaded, and the authority that the user has to each library in the list is retrieved and stored with the job's library list information. When a library is added to the list, its authority is also saved in the job's library list information.

The user's authority to the library, having already been resolved, remains consistent throughout the life of the job. This is true even if the user's authority to the library is changed or revoked during the job.

When an unqualified reference is made to an object, as in the Display File commands shown here:

DSPF FILE(MYFILE)     or     DSPF FILE(*LIBL/MYFILE)

the stored library list authority information is used. A new authority lookup is not performed when the library is already on the job's library list, which presents huge vulnerabilities in the case of adding a library to the list under adopted authority or while swapping to a more powerful User Profile.

Read More

In This Issue


Featured Article - *LIBL Vulnerabilities

Security Shorts - Higher than QSYS

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Our Newsletter Sponsors


Platinum Sponsor
    The 400 School, Inc


Gold Sponsor

    PowerTech

    Skyview Partners, Inc

    Software Engineering of America

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

John Earl Memorial Tribute

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1

QAUDJRN Entries By AUDLVL

QAUDJRN Entry Layouts

RedBook - Security Guide IBM i


OSF - DataLoss DB

PCI Data Security Standard

COBIT - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification


Follow SecureMyi on Twitter

Follow SecureMyi on YouTube




iSecurity from SEA



Security Study

Security news and Events

October Events

2013 IBM Power Systems Technical University at Enterprise2013
Sponsored by IBM - (ed. This is the newest name for the IBM Technical Conference)
Orlando, FL, October 21-25
More Information and Register to Attend

Building Effective Security Dashboards
Live Webcast - Presented by PowerTech
Wednesday, October 23 1:00pm CDT
More Information and Register to Attend


November Events

Live Hands-On - IBM i System Administration and Control Workshop
with Dan Riehl
 Full Length Training Workshop - November 11-15
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend



Security? See how SKYVIEW PARTNERS can help!

Security Shorts


Danger - Any Libraries Higher than QSYS?

By Dan Riehl

If you, or your software provider, places a library higher than QSYS on the system library list, like ALTQSYS, make sure that the library authority is set to no higher than *PUBLIC AUT(*USE). This will restrict *PUBLIC users from placing new objects into the library. Also make sure that you secure the individual objects in the library with *PUBLIC AUT(*USE) for programs, commands and other static object types, and *PUBLIC AUT(*CHANGE) or less for dynamic objects like database files and data areas.


Since we rely heavily on resolving object references using the job's library list, any object in a library ahead of QSYS can override the expected functioning of the operating system and your application software. In this respect, programs and commands can act as a Trojan Horse on your system.


Numerous 3rd party software vendors require a library ahead of QSYS, but do not secure the libraries with *PUBLIC AUT(*USE). Instead, they are mostly installed as *PUBLIC AUT(*CHANGE), or even *PUBLIC AUT(*ALL). Check with your vendor for their solution to the integrity vulnerability they have introduced onto your system.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert IBM i Security Consulting
IT Security and Compliance Group. LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Live Training from The 400 School, Inc


Customized IBM i (AS/400) Training -
    Presented Live at your offices

Live Online Hands-On Workshops

ILE RPG IV Programming
ILE COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Auditing Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop

Training from The 400 School

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2013 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017