|
||
SecureMyi.com Security and Systems Management Newsletter for the IBM i
April 24, 2013 - Vol 3, Issue 27
|
||
|
||
|
Feature Article
By Dan Riehl Since version 5.4 of the IBM i operating system, IBM has included the capability to natively save and restore spooled files. Previously, when an output queue object was saved, only the output queue object itself was saved. The spooled files within the output queue weren't saved and therefore couldn't be restored. Even today, unless you specify that you want to save the spooled files in your saved output queues, the spooled files aren't saved. Since 5.4, an output queue and its associated spooled files can be saved using standard save commands such as Save Library (SAVLIB) and Save Object (SAVOBJ). In the following example, I save an output queue named ADMIN5P to a save file by using the SAVOBJ command. On the command, I specify the parameter SPLFDTA(*ALL). The SPLFDTA(*ALL) parameter is what causes the spooled files to be saved. Had I not specified SPLFDTA(*ALL), only the output queue object would be saved and not the associated spooled files. SAVOBJ OBJ(ADMIN5P) LIB(ADMIN5) DEV(*SAVF) + OBJTYPE(*OUTQ) SAVF(DANWORK/DANTEST1) SPLFDTA(*ALL) I display the contents of the save file by using this command: DSPSAVF FILE(DANWORK/DANTEST1) I then see the resulting display showing the saved ADMIN5P output queue. Display Saved Objects Library saved . . . . . . . : ADMIN5 Type Options, press Enter. 5=Display Opt Object Type Attribute Owner Size (K) Data 5 ADMIN5P *OUTQ DANRIEHL 96 YES Once the Output Queue and Spooled files are saved, it is quite mysterious how the restore process works. It's not as one would expect. |
|
In This Issue
Quick Links
Our Newsletter Sponsors
Platinum Sponsor |
IBM i Security ResourcesJohn Earl Memorial Tribute - Jan 2013 IBM i Security Videos from SecureMyi.com SecureMyi Newsletter Home and ArchivesSearch Security Site for IBM i and i5/OS IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 QAUDJRN Audit Types By AUDLVL 6.1 QAUDJRN Entry Type Record Layout 6.1 RedBook - Security Guide for IBM i 6.1 Open Security Foundation - DataLoss DB PCI SSC Data Security Standards |
|
IBM i Security Calendar of Events
|
|
|
|
||
Security Shorts -
By Dan Riehl Did you know that your end users and IT staff members can change their own user profile? Almost all user profile attributes can be changed using this command. Certain attributes like Group Profile and Supplemental Group Profile cannot be changed. But that's little consolation when we find that our end users can change their initial program, initial menu, current library, job description, attention program, etc. The CHGPRF command ships from IBM as *PUBLIC use, so it is available for general use. As you might suspect, the user must have at least *USE authority to the specified initial program, menu, job description, attention program, current library, etc. in order to make those kind of changes. Certain parameters of the CHGPRF command are sensitive to the LMTCPB(Limit capabilities) attribute of the user's profile. For instance, if the user is LMTCPB(*PARTIAL), they cannot change their initial program, current library or attention key handling program. They can however change their initial menu and all the other attributes. If the user is LMTCPB(*YES), they cannot change their initial program, initial menu, current library or attention key program, but they can change all the rest of their profile attributes like job description, user options, output queue, printer and even the textual description of their user profile. You may be thinking that this is not really such a big deal since the only people on your system that can run this command are IT folks and a limited number of users that have access to the command line. Users that are defined as LMTCPB(*YES) cannot enter this command on a command line, and I doubt you would place this option on their menu. But, any user that has IBM i Access(Client Access) installed on their PC can use the RMTCMD command to run the CHGPRF command. It's as simple as going to a DOS prompt and running the command: RMTCMD CHGPRF JOBD(QGPL/HIGHPRI) TEXT('I am so cool') The RMTCMD.exe on your PC does not pay any attention to the LMTCPB attribute of the user running the command. The user can run any command to which they are authorized. And, since RMTCMD is an integral part of IBM i Access, you cannot just remove it from all your PCs. It's best to write or buy an exit program for the remote command server that would control this type of activity. My recommendation to you is to change the object authority of the CHGPRF command to make it *PUBLIC AUT(*EXCLUDE). To make that change, you can use either the EDTOBJAUT(Edit Object Authority) command or the GRTOBJAUT(Grant Object Authority) command. |
Sponsored Links
IBM i, iSeries and AS/400
|
|
|
||
Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2013 - SecureMyi.com, all rights reserved SecureMyi.com | St Louis MO 63017 |