Preventing adopted special privileges on i5/OS

One of the last hurdles most people face when trying to understand i5/OS security is trying to prevent users from gaining special privileges when a command line has been displayed from a program that adopts owner authority.

Since the IBM programs that display a command line (QCMD, QUSCMDLN) aren't observable, the program can't be duplicated and the option to adopt authority can't be removed.

There are different approaches to solving this. One is to create your own programs of the same name that do not adopt authority, but call the IBM programs and place your programs at the top of the library list, thus breaking the chain of adopted authority.

This approach may work, but there's no guarantee that your version of the IBM programs – even though it's ahead of QSYS in the library list – will get called. They may be "hard-coded" to go to the one in QSYS.

Nothing is perfect, but in addition to the approach you've described, here are some things you can do to further reduce the risk in your situation:

• If you have control over the application's use of QCMD or QUSCMDLN, "wrap" the call to these programs in a program that is compiled with Use adopted authority set to *NO and call that program rather than relying solely on getting your version of the program called (out of a library higher than QSYS).
• If any menu options run a WRKxxx command, an i5/OS command line is usually displayed. In this case, "wrap" the call to the command in a CL program that is compiled with Use adopted authority set to *NO.
• Use the QUSEADPAUT authorization list to limit who can create a program that uses the adopted authority from higher in the call stack. (For details on using this authorization list, see the iSeries Security Reference manual.)
• Ensure every possible user is set to limited capability *YES. For all other users, audit their actions by running the CHGUSRAUD command and specify (at least) to audit their commands (*CMD).
• Ensure that the program owner has just the special authorities required to run the application and no more. In many cases, application owners tend to have more special authorities than required. For example, I often see applications owned by a profile that has *JOBCTL and *SAVSYS. While *JOBCTL is often required, it is rare that *SAVSYS is.

Editors note: This iSeries administrator's tip on i5/OS security has been adapted from a user question submitted to our Ask The Expert section.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT iSeries administrator tips Analyze the health of your IBM i server with iScore Researching high availability for your System i shop Translating Linux for IBM i admins: Using GUI to make it easy Translating Linux for IBM i admins: Working with jobs and networking OpenOffice: What to know before making the transition from Microsoft Office OpenOffice: An enterprise open source solution Database performance comparisons on IBM i Translating Linux for IBM i admins: User profile commands Modern System i reports using Client Access Tips for installing Lotus Domino server on a System i partition iSeries system and application security Developing a security incident response system for System i Setting up security for programmers on IBM i Blocking AS/400 DB2 users Trouble accessing IFS path from Win2k3 server Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file System i security programming strategies System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment Monitoring application of PTFs Allowing a user to copy or create a duplicate object RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.