Restricting Use Of Certain System Commands

By Rich Loeber

When your IBM i is prepared in the factory, it is set so that most system commands and APIs have a public authority of *USE. This setting will let anyone use just about any command or API on your system. But, some of those commands and APIs could be used for malicious purposes. This tip will show you a way that IBM has provided in the operating system to easily restrict those commands and APIs that can be most problematic.

The secret to this is the Revoke Public Authority (RVKPUBAUT) command. This command, which calls a program named QSECRVKP in library QSYS, can be used to change the public authority for a host of commands and APIs to *EXCLUDE. Doing this will allow you to control exactly which user profiles will have access to these commands so that you know who will be trusted with them.

Before you run out and execute the RVKPUBAUT command, you need to know what it is going to change on your system. (For example, it restricts the RSTOBJ and RSTLIB commands.) To get a full understanding of which commands and APIs will be changed, you can either take a look in the system documentation or, better yet, you can retrieve the CL program source for the QSECRVKP program and examine it yourself. You can use the following command to retrieve the source code for this purpose:

RTVCLSRC PGM(QSECRVKP) SRCFILE(mylib/QCLSRC)

This assumes that you already have a source physical file in your library named QCLSRC.

When you run this command, there is a single parameter. You need to supply the name of the library where these objects are stored. At a minimum, you should run the command for the QSYS library. If you have more than one national language on your system, you should also run the command for every QSYSxxx library on your system.

If you see commands and/or APIs where you do not want to change the system default, you can make changes to the retrieved CL source program and recompile it. Do not place the newly compiled program back into QSYS as that will destroy the original as shipped from the factory. It would be best to put the copy in a different library along with your own copy of the command object named RVKPUBAUT. Change the library settings on your copy of the command to point to your modified version of the program. Then, when you run the command, run it from your library and not from the QSYS library.

You should also be aware that running the RVKPUBAUT command will change the public setting for the root directory of the IFS on your system. It will change it to *USE unless it is already at that level or lower.

Once you have these commands and APIs restricted, you can then go about authorizing them to the specific individuals in your organization that really do need their use. The best way to set this up is to create an authorization list for this set of users and then set up each of the commands and APIs to point to the authorization list. Then, as people come and leave, a simple change to the authorization list will take care of all authorization issues to these restricted use commands and APIs.

If you have any questions about this topic you can reach me at rich at kisco.com, I'll try to answer any questions you may have. All email messages will be answered.