Security and Systems Management Newsletter for the IBM i             May 14, 2014 - Vol 4, Issue 8
Security Training from

Security software from Powertech

Skyview Partners

Security Training from The 400 School

Feature Article

The CHGPRF Command - Change My Own Profile - Really?

By Dan Riehl -

Did you know that your end users and IT staff members may be able to change their own User Profile settings?

Just like users can run the CHGPWD(Change Password) command to change their own password, there is another command CHGPRF(Change Profile) that may be used to change their own user profile.

Numerous User Profile attributes can be changed using this CHGPRF command. Certain attributes like Group Profile and Supplemental Group Profile cannot be changed. But that's little consolation when we find that our end users can change their initial program, initial menu, current library, job description, attention program, etc.

The CHGPRF command ships from IBM as *PUBLIC use, so it is available for general use. As you might suspect, the user must have at least *USE authority to the specified initial program, menu, job description, attention program, current library, etc. in order to make those kind of changes.

Certain parameters of the CHGPRF command are sensitive to the LMTCPB(Limit Capabilities) attribute of the user's profile. For instance, if the user is LMTCPB(*PARTIAL), they cannot change their initial program, current library or attention key handling program. They can however change their initial menu and all the other attributes. If the user is LMTCPB(*YES), they cannot change their initial program, initial menu, current library or attention key program, but they can change all the rest of their profile attributes like job description, user options, output queue, printer and even the textual description of their user profile.

You may be thinking that this is not really such a big deal since the only people on your system that can run this command are IT folks and a limited number of users that have access to the command line. Users that are defined as LMTCPB(*YES) cannot enter this command on a command line, and I doubt you would place this option on their menu. But, any user that has IBM i Access(Client Access) installed on their PC can use the RMTCMD command to run the CHGPRF command. It's as simple as going to a DOS prompt and running the command:


The RMTCMD.exe on your PC does not pay any attention to the LMTCPB attribute of the user running the command. The user can run any command to which they are authorized. And, since RMTCMD is an integral part of IBM i Access for Windows, you cannot just remove it from all your PCs. It's best to write or buy an exit program for the remote command server that would control this type of activity.

My recommendation to you is to change the object authority of the CHGPRF command to make it *PUBLIC AUT(*EXCLUDE). To make that change, you can use either the EDTOBJAUT(Edit Object Authority) command or the GRTOBJAUT(Grant Object Authority) command.

And I really wonder, who came up with this CHGPRF command, which potentially allows users to skirt the settings set by the system administrator.

In This Issue

Featured Article - CHGPRF Command

Security Shorts - Numeric UserID Password

Featured Video - Virus Worms Malware

Industry News and Calendar

Security Resources

Quick Links

Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Our Newsletter Sponsors

Platinum Sponsor

    The 400 School, Inc

Gold Sponsor


    Skyview Partners, Inc

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1


QAUDJRN Entry Layouts

RedBook - Security Guide IBM i

Open Security Foundation - DataLoss DB

National Vulnerability Database - NIST

PCI Data Security Standard


HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

Software from Cilasoft

Security software from Powertech

Featured YouTube Educational Video

IBM i Security

Is the IBM i Vulnerable to Virus, Worms and other Malware?

Featured Video - IBM i Security - Is the IBM i Vulnerable to Virus, Worms and other Malware?

Cannot Access YouTube from your office? Download the video in wmv format.   Click to Download the wmv file
Security news and Events

Live Security Related Webcasts and Training for IBM i

May Events

Coffee with Carol: with Carol Woodbury
Security Considerations for Application Development including PCI Requirements

Live Webcast - Presented by Skyview Partners
Friday, May 16 10:00am CDT
More Information and Register to Attend

The 2014 State of IBM i Security
Live Webcast - Presented by Powertech
Wednesday, May 21 1:00pm CT
More Information and Register to Attend

June Events

Live Hands-On - IBM i System Administration and Control Workshop
with Dan Riehl

Training Workshop - June 2-6 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Coffee with Carol: with guest presenter Patrick Townsend
Encrypting Data with FIELDPROC - No Application Changes!

Live Webcast - Presented by Skyview Partners
Thursday, June 12 10:00am CDT
More Information and Register to Attend

Skyview Partners

Security Training from The 400 School

Security Shorts - All Numeric Passwords and User IDs

By Dan Riehl -

My UserID is 77 and My Password is 123456

Naming rules for the IBM i state that an object name must begin with an alphabetic character including A-Z, #, $, @, and that the remaining characters (up to 10 in total) can contain A-Z, 0-9, #, $, @, _ ,and a .(period). The object names are not case sensitive.

However, when it comes to user profile names and passwords, an interesting phenomenon occurs.

When we create a user profile, we specify a user profile name and, optionally, we specify a password, as in the following example. (For these examples, we assume a Password Level (QPWDLVL) of 0 or 1, limiting a password to a maximum length of 10 characters.)


Now, when the user needs to log on, his user ID is BOBSMITH, and his password is PASS1WORD5. Simple and straightforward.

But consider this next example:


When a user profile is created using this command, the user can actually log on using two different user IDs and two different passwords. It's a bit weird, but let me explain.

  • The user can log on with user Q12345 with a password or Q11111.
  • The user can log on with user Q12345 with an all-numeric password of 11111.
  • The user can log on with an all-numeric user 12345 with a password of Q11111.
  • The user can log-on with an all-numeric user 12345 with an all-numeric password 11111.

The secret to this weird support lies in the first character of the user or password being the specific letter Q, followed only by digits. When this is the case, the letter Q becomes an optional part of the user or password during the system logon process.

You can view more about this Q digit support by reviewing the F1=Help text of the CRTUSRPRF(Create User Profile) command.

As the system administrator, you can enforce policy to disallow the creation of a Q digits user profile, but a user can change his or her password to a Q digits password using the Change Password (CHGPWD) command and/or Change Password API.

In order to restrict users from setting their passwords to Q digits (e.g., Q11111), you can either set the system value QPWDLMTAJC to the value 1 or include the value *DGTLMTAJC in the system value QPWDRULES. Either of these settings prohibit the use of adjacent digits in a password when changed by the user.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

IT Security and Compliance Group

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Software Selection & Configuration
Security and Systems Programming

Live Training from The 400 School, Inc

Customized IBM i (AS/400) Training -
    Presented Live at your offices

Live Online Hands-On Workshops

ILE RPG IV Programming Workshop
RPG/400 Programming Workshop
IBM i COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Audit Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop

Security Services from

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2014 -, all rights reserved | St Louis MO 63017