Command Line Security - Part 2

By Rich Loeber

Last time, in part one of this two part series, we talked about limiting access to the use of the IBM i OS command line. For some installations, however, you may have some good business reasons for providing command line access. In part two, we'll take a look at how you can restrict access to specific commands in IBM i OS.

Every command in the OS exists as an object on the system with object type *CMD. The best way to control access to use of the commands is through IBM i object security. Command objects can exist in any library. The OS commands are generally all found in the QSYS library. Command objects can be part of the IBM i OS and they can also be part of application programs installed on your system either from your own homegrown applications or from software providers other than IBM.

Most OS commands are shipped from IBM with the public authority set to *USE. This means that anyone on your system can run any command. To restrict a command, change the public authority to *EXCLUDE. When you make this change, then only users with all object authority (generally a no-no in a security conscious installation) will be able to run the command. Then, using either an authorization list or by granting specific user profile access, you can control who can run the command.

For example, suppose that you decide that you want to restrict the use of the Work with Output Queue (WRKOUTQ) command. This is one of the commands that is shipped with public authority of *USE. To change the public authority to *EXCLUDE, run the following Grant Object Authority (GRTOBJAUT) command:

GRTOBJAUT OBJ(QSYS/WRKOUTQ) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*EXCLUDE)

Now, if you have a set of users that you specifically want to allow access to the command, you can grant them individual access using the following command format:

GRTOBJAUT OBJ(QSYS/WRKOUTQ) OBJTYPE(*CMD) USER(MYPROFILE) AUT(*USE)

The USER parameter can point to a specific user profile or to a group profile. If you have implemented group profile security, this is the better way to approach this issue.

When setting up command security using this method, you can use wildcard characters for the object name in the Grant Object Authority command. Using this method, you can update the public and private authority for many related commands all at the same time. The IBM i OS Security Guide suggests controlling all of the commands that change device configurations as an example. Using that example, the following command would do the trick:

GRTOBJAUT OBJ(QSYS/CHGDEV*) OBJTYPE(*CMD) USER(*PUBLIC) AUT(*EXCLUDE)

Your best approach is still to limit user's ability to run commands directly from the command line. But, if you absolutely have to allow it, then make sure that an inquisitive users doesn't accidentally (or purposefully) run a command that you don't want them running.

If you have any questions about this topic, you can reach me at rich at kisco.com, I'll try to answer your questions. All email messages will be answered.