29
Fri, Nov
0 New Articles

Security Patrol

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Conflicting Authority

Question: If a user profile has one level of authority specified in an authorization list assigned to an object and a different level granted as a private authority to the same object, how is the difference reconciled? In other words, which authority rule takes priority?

Answer: It depends mainly on what version and release of OS/400 you are referring to but also on how you establish other security-relevant factors. OS/400 evaluates a user's authority to an object through a specific sequence of questions. At each step, a definitive answer, either "yes" or "no," will either permit or deny access, respectively, with no further checking. If a step does not provide a definitive answer, then OS/400 asks the next question. Here is the general order of questions:

1. Does the profile have ALLOBJ special authority? If so, the user gets access to the object, regardless of any other authorities which may have been defined.

2. Does the individual user have specific authority to the object, either through object authority or by being the owner of the object?

3. Is there an authorization list that grants or denies authority to the user?

If the user is a member of a group profile, OS/400 asks the following questions:

1. Does the user belong to a group profile that provides ALLOBJ? If so, then the user gains authority at this step.

2. Does the user's group profile have specific authority to the object, either though object authority or by owning the object?

3. Does an authorization list grant authority to the user's group?

If none of these steps provides a definitive answer, then PUBLIC authority for the object is reviewed.


The "joker" in this deck of cards concerns programs that adopt owner's authority. Adopted authority is examined last, after reviewing PUBLIC authority. However, if it results in the user gaining authority to the object, adopted authority takes precedence over any prior denial. This goes against the earlier rule of "first match gives result." Essentially, the entire process I've described is repeated for the program's owner (i.e., does the program owner have ALLOBJ?, etc.).

In your specific case, if the private authority results in a definitive grant or deny, then this will be the authority given to the user; whatever you might specify in the authorization list would not matter.

Stop! Don't Touch That Spool File!

Question: I am working on a method of archiving specific spool files. We receive about 150 reports a day from our application that we need to archive, and the rest can be deleted. Once the report is created, we move it to specific output queues and then archive it into Magellan Software's SpyView, which is on a different AS/400. Users have been known to delete these spool files before I can get them captured, yet I cannot take away the Delete Spooled File (DLTSPLF) command to prevent this. I've tried securing the output queue object and even putting the queue into a secured library, but I've had no success because the owner of the spool file has access regardless of his rights to the queue. Is there a way to transfer ownership of the spool file or make a copy so that the original user can no longer access or delete it?

Answer: I assume you are unable to provide the necessary security by securing the DLTSPLF command. That's too bad: This would have been an elegant solution, otherwise. This approach would involve setting users' authority to all spool file management commands to *EXCLUDE. These commands would include DLTSLF as well as Work with Spooled Files (WRKSPLF), Work with Spooled File Attributes (WRKSPLFA), Change Spool File Attributes (CHGSPLFA), Hold Spooled File (HLDSPLF), and others listed in OS/400 CL Reference V4R1 (SC41-5722-00). While your primary concern is preventing unauthorized spool file deletion, I assume you would want to control other changes to spool files, as well.

Your users may still require some carefully controlled access to spool file commands in order to view their own output and, perhaps, print a copy for their own reference. I would suggest writing a short program to act as a front-end to the OS/400 spool file commands. This front-end program could determine a user's identity, his authority to use certain commands and options, and for which spool files he may use those commands and options.

Elegant solutions don't always work, and I must assume from your letter that you have tried this approach and it has failed in your environment. (I described the option anyway because it may work very well for other readers.) Your next option, given that the commands apparently cannot be secured, is to attempt to secure the spool file objects themselves. Here, you run into a very difficult problem, one caused by the nature of the AS/400's security model. The AS/400 supports something called Discretionary Access Control (DAC). DAC basically states that the owner or creator of an object has the final authority to decide who has access to an object. An owner always has the final say, short of revoking ownership and granting it to some other user. The usual alternative to DAC is Mandatory Access Control (MAC). In MAC, the organization's policies decide access rights for certain types of objects, and the specific user who created the object has no special rights at all. MAC is generally associated with a military-style security policy, classifying information as Secret, Top Secret, etc. and granting rights based on this classification. The AS/400 definitely does not support a MAC-based security policy.


To make your objective even more challenging, you can't get around DAC limitations by simply changing the object's owner for spool files. The Change Object Owner (CHGOBJ- OWN) command does not support spool file object types. There are some options on the OUTQ object for providing additional security, but these all specifically give the spool file owner full control of all the output that is created.

To draft a solution for you, I will assume your software follows good programming practices and does not generate reports interactively, given that doing so places a tremendous burden on the interactive subsystem and harms system performance for other users. I assume that, instead, it submits a batch job that creates the report for the user.

The option I suggest is to create a new profile that will own all the spool files that your users generate. You should not assign this profile to any specific user, and it should have a password of *NONE to prevent anyone from using it to log in. Its sole purpose is to own spool files. For the sake of illustration, let's call this profile Bob. Make sure that Bob has all the authority that a user would normally possess as required for creating reports (this should include READ access to all application database objects). Now, let's assume there's a typical user with a profile named Alice. After creating Bob, grant Alice USE authority to the user profile Bob as follows:

GRTOBJAUT ...OBJ(QSYS/BOB) OBJTYPE(*USRPRF) USER(ALICE) AUT(*USE)

The next step is to modify the Submit Job (SBMJOB) command that your software uses. Place the value Bob into the parameter USER. This will cause the submitted job to run under Bob's identity. Previously, you had to grant Alice (the actual user) USE authority to Bob's user profile object in order to permit this at QSECURITY level 40. Be careful here, as Alice might be able to submit unauthorized jobs under Bob's authority.

The end result of this is that Alice can verify the status of her print jobs using Work with Submitted Job (WRKSBMJOB) but cannot view any detailed job information or view or access in any way the spool files printed by the job. If she tries, she gets the message "No authority to job." In addition, your users are allowed to create spool files which they cannot delete, copy, or even view. To provide users access to their reports, you will need to do a bit of programming. Create a routine that runs the Copy Spooled File (CPYSPLF) command, creating a database file to which users will have read-only access. This program should run frequently enough to provide desired user access to reports. Users may view the reports through a simple program which reads the database file one line at a time and displays it in a scrollable window.

Finding Flighty Freeware

Question: I tried to go to the URL you provided for the Linux version of Strobe in the December 1999 "Security Patrol." All I got was an error 404 on this URL indicating that the link could no longer be found. Do you know where I can find the program?

Answer: I really hate it when this happens! You've just found one of the big costs of so- called free software on the Internet—the software may no longer exist by the time you try to go get it. Strobe was authored by the well-known Australian security specialist Julian Assange in 1995. It was originally hosted on his Web site at suburbia. net, but, apparently, this site is no longer available. In this case, the item is not hosted by the original author but is maintained in various standard software archives. If you use Red Hat Linux, the place to look is rpmfind.net/linux/RPM/contrib/libc5/i386/strobe-1.04-2.i386.html. RPM stands for Red Hat Package Manager, a utility that bundles the various files making up a Linux


program and permits easy management of the resulting software. Other varieties of Linux may optionally support RPM as well.

References and Related Materials

OS/400 CL Reference V4R1 (SC41-5722-00)


BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: