|
||
|
September 12, 2012 - Vol 2, Issue 16
|
||
|
||
|
Feature Article
Watch out for New Adopting ObjectsBy Dan Riehl Adoption of authority is a technology we commonly use within IBM i to allow users to perform operations for which they do not have sufficient authority. For example, resetting a user's password requires a very high level of authority. We do not want to hand out this high authority level to every user that may need to reset a password. So, instead of making the users more powerful, we make a program that is more powerful by allowing the program to adopt, or "temporarily borrow", the authority of a powerful user. When a program is created, the USRPRF parameter is used to specify that the created program will adopt authority. In the command CRTCLPGM(Create Control Language Program) you specify adopted authority by specifying the parameter USRPRF(*OWNER). Then, when the program is run, the program adopts the authority of the owner of the program, thus enabling the CL program to perform operations that the owner of the program is authorized to do, but the user running the program does not necessarily have the ability to do; like resetting a password, or restoring a library. Since running a program that adopts authority can increase a user's capability, it is important to make sure that you know which programs adopt authority, and that you especially keep an eye on newly created programs that adopt. In many cases, programs will adopt the authority of QSECOFR, or of some other very powerful profile. This is seen most often in vendor supplied software, but typically there will be several home-grown programs on your system that will adopt the authority of QSECOFR. You need to know what these home grown programs do, and why they adopt such a high level of authority. These adopting programs can be used as a "back-door" to to circumvent the security controls and file permissions that you have instituted to protect your system. In order for you to keep track of adopting programs, IBM has supplied the command PRTADPOBJ(Print Adopting Objects). Adoption can occur within a program, a service program, or an SQL package. When using the command PRTADPOBJ you print a list of adopting programs, and can select to only print the programs that adopt a specified user profile, like QSECOFR. You can also specify to print a list of programs that adopt the authority of any user profile. The command also has a 'What's Changed?" feature, in which you can print only changes since the last run of the command. |
|
In This Issue
Quick Links
Thank You! To Our Great Sponsors
Platinum Sponsor |
IBM i Security and Audit ResourcesIBM i Security Videos from SecureMyi.com SecureMyi Newsletter Home and ArchivesSearch Security Site for IBM i and i5/OS IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 QAUDJRN Audit Types By AUDLVL 6.1 QAUDJRN Entry Type Record Layout 6.1 RedBook - Security Guide for IBM i 6.1 PCI SSC Data Security Standards 
|
|
IBM i Security News Bytes
Linoma Announces Microsoft Server 2012 Certification IBM i Security Calendar of Events
|
|
|
|
||
Security Shorts -
By Dan Riehl Since V5R4 we have had the capability to save the spooled file reports residing in our output queues. Prior to V5R4, when you saved an output queue, or saved a library containing output queues, only the output queue object itself was saved, not the contents(the spooled file reports) in the output queue. Since the V5R4 upgrade, many of us have not updated our backup routines to take advantage of this new support. Instead, when we save a library or an output queue, we still only save the output queue object, but not the spooled files contained in the output queue. The following command saves all objects in the PRODLIB library, including all the spooled files in all the output queues that reside in the library: SAVLIB LIB(PRODLIB) DEV(TAP01) SPLFDTA(*ALL) When you do a SAVLIB(Save Library) or SAVOBJ(Save Object) command, you must specify SPLFDTA(*ALL) in order to save the spooled files in the saved output queues. The parameter SPLFDTA(*ALL) is the key to saving the spooled files. I encourage you to update your backup routines to begin saving your spooled files. But, perhaps you are using the IBM supplied SAVE menu to perform your backups, and not a home grown backup program. Or perhaps your vendor supplied backup software does not give you the option to save your spooled files. If that is the case, then here is a simple solution. Below is the source code for a Control Language program you can use that will save all of the output queues on your system and will save all of the spooled files in those output queues. This would be a nice program to add to your weekly backup routine. Note: In this program you must replace 'TAP02' with the name of your backup device.
PGM /* Save Spooled Files */
DCL VAR(&MSGID) TYPE(*CHAR) LEN(7)
DCL VAR(&MSGF) TYPE(*CHAR) LEN(10)
DCL VAR(&MSGFLIB) TYPE(*CHAR) LEN(10)
DCL VAR(&MSGDTA) TYPE(*CHAR) LEN(100)
DCLF FILE(QADSPOBJ)
MONMSG MSGID(CPF0000) EXEC(GOTO ERROR)
DSPOBJD OBJ(*ALL/*ALL) OBJTYPE(*OUTQ) +
OUTPUT(*OUTFILE) OUTFILE(QTEMP/QADSPOBJ)
OVRDBF FILE(QADSPOBJ) TOFILE(QTEMP/QADSPOBJ)
LOOP: RCVF
MONMSG MSGID(CPF0864) EXEC(GOTO CMDLBL(ENDIT))
SAVOBJ OBJ(&ODOBNM) LIB(&ODLBNM) DEV(TAP02) +
OBJTYPE(*OUTQ) SPLFDTA(*ALL)
GOTO LOOP
ENDIT: RETURN
ERROR: RCVMSG MSGTYPE(*LAST) MSGDTA(&MSGDTA) MSGID(&MSGID) +
MSGF(&MSGF) SNDMSGFLIB(&MSGFLIB)
MONMSG CPF0000 /* Just in case */
SNDPGMMSG MSGID(&msgid) MSGF(&msgflib/&msgf) MSGDTA(&msgdta) +
MSGTYPE(*ESCAPE)
MONMSG CPF0000 /* Just in case */
ENDPGM
When it comes time to recover a deleted spooled file, or an entire output queue, you can use the command RSTOBJ(Restore Object) to restore the saved output queue, including the spooled files. |
Sponsored Links
IBM i, iSeries and AS/400
|
|
|
||
|
Send your IBM i Security Related News and Events! Advertise in SecureMyi.com Security Newsletter Copyright 2012 - SecureMyi.com, all rights reserved SecureMyi.com | St Louis MO 63017 |
||
