02
Sat, Nov
2 New Articles
  1. You are here:  
  2. Home
  3. Security
  4. IBM i (OS/400, i5/OS)
  5. Security Patrol

Security Patrol

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

View but Not Copy

Question: I would like my users to be able to view source files in our production library but not copy from it into another library. Since copying into a programmer or test library is the first step in making a change, I want to know up front that a change is being contemplated. Is there a way to do this?

Answer: The problem that you describe is a classic computer science problem. If you allow a user to view data, can you restrict how that user uses the data? The purist’s answer is no. The technically feasible answer is maybe. You should first understand that when you allow a user to view source code, you are essentially permitting a copy of that source to be sent to that user’s screen. Once the code is on a user’s screen, that user can cut and paste that code into another editor and bypass your security restrictions.

Realistically, however, most application programs are large enough to discourage (but not prevent) users from going through this tedious process. If this is an acceptable risk for you, then you could provide your users with an adopted authority program that gives them the ability to view the source through the SEU browser. Figure 1 shows a sample program that accomplishes this task. Make sure that the user profile whose authority you adopt has no more than *USE authority to the source files, because SEU provides access to a command line, and you would not want to give users full access to the data through a combination of adopted authority and command line access. For more information on how to properly secure an adopted authority program, refer to “Security Patrol: Watching QSECOFR” in the January 2001 issue of MC.

In the course of researching your question, several of my colleagues questioned why you were concerned about a user’s ability to re-create program objects. If you are trying to prevent users from replacing production programs, there is a better way to do this. Do not give your users the ability to delete production programs. If users have only *USE authority to a production program (which is all the authority users need to execute a program), they can’t replace the production program with any changed version that they may have made.

Another reason not to prevent users from reading source code is efficiency. Smart users know the value in copying code from existing programs when they are building a new program. If you prevent your team from copying code, you may be sentencing them to



reinvent the wheel with every program that they write. So, let users read the source, but just secure the production environment from unauthorized changes, and you’ll be fine.

Controlling *JOBCTL Special Authority

Question: We are splitting users into two environments and would like to secure job control special authority (*JOBCTL). For example, some users will require *JOBCTL to selective job queues, but other users defined with *JOBCTL should not have any access to the same job queue, while a third group of users needs access to all job queues. I’ve attempted to test different scenarios but have been unsuccessful. Could you please advise me as to how this can be accomplished?

Answer: Lucky for you, OS/400 was designed from the start as a multi-user and even multi-company operating system, so what you’re asking for is really quite easy to accomplish. I understand why many users are confused by Job Queue authority, because it follows different rules than other OS/400 objects.

First, I will review what *JOBCTL authority provides. *JOBCTL special authority allows a user to display, change, cancel, hold, and release every entry on any out queue or job queue that was created with the Operator Controlled OPRCTL(*YES) parameter set. The *OPRCTL parameter on an out queue or job queue specifies that any user with *JOBCTL special authority need not have any private OS/400 authority to that queue in order to work with the entries on the queue. If users have *JOBCTL special authority, they can work with entries on the queue even if their OS/400 authority is set to *EXCLUDE.

If users do not have *JOBCTL special authority, or if the queue was created with OPRCTL(*YES), users must have OS/400 object-level authority (of the *USE, *CHANGE, *ALL variety) to see or work with entries on a queue.

Of course, the easiest way to affect your change is to remove *JOBCTL authority from all of the profiles except those that need access to all queues. But, I’ll assume that there is another reason why these users need *JOBCTL and propose an additional solution.

Break your users into three categories that I’ll designate as USERA, USERB, and SYSOP. USERA needs access to JOBQA but not JOBQB. USERB should not have access JOBQA but does need access to JOBQB. And SYSOP needs access to all job queues. Start by creating JOBQA with the OPRCTL(*NO) parameter, and then edit the object authorities (EDTOBJAUT) for that job queue object. The authority to JOBQA should be set to USERA = *CHANGE and *PUBLIC = *EXCLUDE. JOBQB will also be defined as OPRCTL(*NO), and its object authorities should be set to USERB = *CHANGE and *PUBLIC = *EXCLUDE. With the OPRCTL(NO) flag set, the *JOBCTL special authority will provide no special access to these queues. USERA and USERB will be forced to rely on their object authorities to the queues and, if they fall under *PUBLIC, will be excluded.

That leaves the SYSOP profile. Give SYSOP not just *JOBCTL but also *SPLCTL special authority. *SPLCTL acts like *ALLOBJ special authority, only *SPLCTL concentrates its power on spooling (JOB and OUT) queues. The *SPLCTL special authority is not hampered by either the OPRCTL parameter or by regular OS/400 object authorities when it comes to accessing job queues, and so it is appropriate for only those users who need unrestricted access to all queues.

The plan mentioned above works just as well for out queues as it does for job queues. If users must have *JOBCTL authority, this security plan will restrict users to only those queues that they ought to see.

Stopping ODBC Updates

Question: I have an exit program in the QIBM_QZDA_SQL1 exit point that has been running without incident for years. My exit-program only allows reads to the database because the exit program scans for the SQL SELECT statement in the input request. If the



first six bytes of the input request are SELECT, the exit program allows the transaction. If the first six bytes are anything else like UPDATE or INSERT, the exit program rejects them. Now I have a user who is using Microsoft Access to run a SELECT with a UNION ALL SQL statement. All of a sudden, the exit program won’t allow it. This user had no problems running this query before, and he runs it every month. What is going on?

Answer: There could be any number of causes, but the first thing I would do is dump the user’s inbound request to a log file and see if, in fact, the string SELECT is in the first six characters, as you expect. I bet that the SELECT statement is either not the first statement, or the ODBC request has offset the SELECT statement by a character or two. You should also note that a “Select” or a “SelECt” statement would also not pass your edit. Any of these items could cause your program to fail.

What you have discovered is just one of the problems with trying to parse the SQL string in an exit program for the purposes of limiting function. Because of the length and variable nature of SQL statements, it’s extremely difficult to accomplish SQL parsing with any certainty. When you’re talking about security, I believe certainty is required.

If the case is that the user’s wholly uppercase SELECT request does not occupy positions 1 to 6 of the SQL string, you can then move on to solving your next problem: really securing your data. An SQL statement that begins with a SELECT statement (regardless of its relative position) can have one or more UPDATE, INSERT, or other such statements after the select. It is not only usual but also likely to have an UPDATE SQL statement embedded in an SQL SELECT statement. Because you are only checking the first six characters, your exit program would not block these updates to your database.

If you continue down this path, you are going to have to scan the entire incoming data string for key phrases such as UPDATE, INSERT, and the like. In order to do this well, you’ll want to attach your exit program to the newer, 32K QIBM_QZDA_SQL2 exit point rather than the older, 512-byte QIBM_ QZDA_SQL1 exit point that you are using. The QIBM_QZDA_SQL2 exit point provides the full 32K bytes of data for incoming SQL statements (the maximum allowed by the SQL standard) rather than the 512 bytes provided by the QIBM_QZDA_SQL1 exit point. I don’t recommend using the QIBM_QZDA_SQL1 exit point, because it is just too easy to fool an exit program that only checks the first 512 bytes of an SQL statement.

In any case, if you are parsing the ODBC exit point’s incoming string, you’ve got the twin difficulties of getting it right and making it perform. Another approach would be to use the IBM swap profile APIs to change the authority that the user runs under. (See the “Security Patrol” column in the January 2001 issue of MC for more information on swap profile APIs.) Using this approach, you could define a network profile that has read-only access to your database and then have your exit program swap to that network profile whenever a user executes an ODBC statement. This way, OS/400 would be preventing ODBC updates to your database, rather than you trying to teach your exit program all the ins and outs of OS/400 object-level security.

Moving to QSECURITY Level 40

Question: We are considering moving from level 20 to level 30 then to level 40. Can you provide any guidance, articles, publications, tips, or advice?

Answer: If you are moving from QSECURITY level 20, don’t stop at QSECURITY level 30; proceed directly to 40. The majority of the challenges that you will face are in the move off of QSECURITY level 30, whereas the difficulties of moving from 30 to 40 are relatively trivial (and easier to spot). For mor information, see "Security Patrol: Take Security to the Next Level" in the October 2000 issue of MC.



REFERENCES AND RELATED MATERIALS

• OS/400 Security Reference V4R4 (SC41-5302-03, CD-ROM QB3ALC03)

PGM PARM( &SrcF &Lib &Mbr &Type )

DCL &Lib *CHAR 10
DCL &Mbr *CHAR 10
DCL &Srcf *CHAR 10
DCL &Type *CHAR 10

STRSEU SRCFILE(&Lib/&SrcF) SRCMBR(&Mbr) TYPE(&Type) OPTION(5)
MONMSG CPF0000 Goto Exit

Exit:
ENDPGM

Figure 1: Use a program such as this to help provide adopted authority to SEU.



John Earl

John Earl is the founder and Director of Technology and Security for  The PowerTech Group.  a Seattle-area software company that specializes in System i security. He has over 25 years experience with IBM midrange systems and security, has published numerous articles and columns for industry magazines, and served as a Subject Matter Expert (SME) for Security for COMMON. A highly regarded speaker on OS/400 and i5/OS security, Mr. Earl has presented several hundred of iSeries security sessions at industry conferences and user groups all over the world. He is a three-time winner of COMMON's Speaker Excellence award and has also served on the board of directors of COMMON U.S.

 

He can be reached at 253.872.7788 or at This email address is being protected from spambots. You need JavaScript enabled to view it..

 

 

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: