By Trevor Seeney
All too often I see IBM/i security schematics that gives All Object (*ALLOBJ) to all the user profiles. I have recently seen a security schematic that did not have *ALLOBJ authority at the user profile level but instead had all (*ALL) authority applied to all objects. Both of these schematics amount to no security at all because all the users can delete any object!
In the ideal world, all physical files should have *CHANGE authority assigned to the general user community (i.e. *PUBLIC), that enables the object to be ‘operated’ (Opr) on but there are no ‘management’ (Mgt) or ‘existence’ (Exist) rights. Existence rights are needed to delete or clear a physical file.
In the real world, most applications use the CLRPFM command. The use of CLRPFM really demands that for each file that is the target of a CLRPFM command, existence rights need to the granted to the target file to avoid an authentication failure during execution.
To be correct, what is required is to identify each incidence of the CLRPFM command and grant object existence or *ALL authority to the target file. Finding instances of the CLRPFM command is straightforward enough using the search capabilities of the Program Development Manager (PDM), but then changing the authority on the individual files is a laborious effort. As such, this effort is often not done and the easy way out is taken, that being to grant *ALL authority to all of the physical files. Not good!
There is a quick, albeit sneaky, way of identifying the targets of the CLRPFM command and granting existence rights to the file. The solution deploys a user-defined variation of the CLRPFM command with a Validity Checking Program attached.
Validity Checking Programs
When creating a user-defined command, you can attach a VCP that can be used to perform additional validity checking of the command’s parameters that are not provided for within the command definition itself. To perform these additional validity checks, the CL Syntax Checker runs the VCP when a command with one attached is entered (or changed) in a source member. Putting it another way, when a command with an attached VCP is entered using the Source Entry Utility (SEU) under CL syntax, the program executes right there and then! In fact, if you compile the CL program, the VCP will execute during compilation.
Before we tackle solving the CLRPFM quandary with a VCP let’s take a couple of minutes to knock up a quick example. We’ll write an abbreviated Work Active Job command.
- Type into QCMDSRC file a member called WAJ (for work active job) the single line ‘CMD’
- Type into QCLLESRC file a member called RETURN, the single line ‘RETURN’ and compile. This will be the command processing program
- Type into QCLLESRC file a member called WAJ, the single line ‘WRKACTJOB’ and compile. This will be the validity check program
- Create the command as follows:- CRTCMD CMD(WAJ) PGM(RETURN) SRCMBR(WAJ) VLDCKR(*LIBL/WAJ).
Entering the command WAJ into a source member under CL syntax will cause a Work Active Job display to be launched from within SEU!
Compiling the CL program will cause a Work Active Job display to appear again.
Solving our CLRPFM Quandry with a VCP.
Let’s now apply the technique above to the CLRPFM command. We’ll name our command @CLRPFM. Since the CLRPFM command has parameters, our programs are a little more involved but not by much.
In Figure 1 below at call-out A is the command definition of the command @CLRPFM. With parameters representing a qualified file name and a member name.
At call-out B is the VCP which is executing the Grant Object Authority command.
At call-out C is the CPP which has no executable commands.
* It should be noted that the CPP and the VCP should have the same parameters passed whether they are used or not.
Finally at call-out D is the command creation string.
The underlying search function of PDM is the command Find String PDM (FNDSTRPDM) and we can execute same over our production CL source file to find all occurrences of CLRPFM and change them to @CLRPFM by inserting the @ sign. This will cause the VCP to execute and thereby grant *ALL authority to the *PUBLIC for the referenced file. Repeat the ‘Find’ within the member until all CLRPFM commands have been found and then exit the source member without update. Repeat until FNDSTRPDM has finished executing.
FNDSTRPDM STRING(CLRPFM) FILE(MYLIB/QCLLESRC) MBR(‘*ALL’)
Using the technique described herein will apply existence rights, i.e. the right to clear file, for only those files that need it. All other files will have the standard authority applied.
About the Author:
Trevor Seeney is the Technical Director at Sentinex Inc. Trevor is a specialist in IBM/i system security. A COMMON presentation entitled ‘How an iSeries/400 is hacked and how to stop it’ spawned an article for Midrange Computing and a Webinar on Search-400. Trevor also developed a workstation security product for the System/i, which secures inactive work stations and is commercially available today under the name of ScreenSafer/400 and is distributed by Kisco Information Systems.