Kisco Systems

Kisco U

IBM i Remote Program Security Loopholes

Home : Kisco U : IBM i Remote Program Security Loopholes

Command line access is an important IBM i security risk. Most users should be configured with Limited Capabilities (LMTCPB) to block the terminal session command line.

However, it is critically important to realize that users with limited capabilities can STILL execute IBM i commands and programs through various network connected contexts such as ACS "Run SQL Scripts" and FTP.

Let's look at running CL programs through these remote connections.

In ACS "Run SQL Scripts" users can execute any command on a system by using the ACS "CL:” operation. The ACS “CL:” operation actually does a SQL “CALL” to QMCDEXC which can allow a user to execute any iOS command including calls to other programs.

In FTP, users can execute CL on the remote system by using the QUOTE RCMD statement. The RCMD (Remote Command) FTP-server subcommand is the equivalent of having a command line on the system.

Blocking FTP Verbs in Function Usage

Function ID QIBM_QTMF_SERVER_REQ_9 in IBM i Navigator "Function Usage" can be configured to limit access the RCMD command.

Note: FTP SYSCMD runs a program on the local system. It can be controlled by function ID QIBM_QTMF_CLIENT_REQ_9.

Exit Points

What if there is a valid business case for executing CL through FTP? In this case you might want to allow access, but limit what can be done. You can do this with an exit point. In addition, exit points are the ONLY way to limit SQL capabilities through a remote connection.

Use *SQLSRV exit points to interrogate and control remote SQL.

Use *FTPSERVER exit points to control FTP capabilities.

In both cases, the exit program must parse the request to extract the verb(s) to execute.

  • For SQL: "CALL"
  • For FTP: "RCMD"

Those verbs can then be compared against an authorized user list. If the requesting user is authorized, then the exit program will return a 1 bit to allow the request through.

We recommend a second level of filtering to further limit the capabilities for CL program requests. The exit program can be configured to allow/deny specific CL commands. In this way, a user can be granted access to FTP or SQL and can even be granted access to call programs, but will utimiately be limited by what actions they call.

Our exit point software, SafeNet/i, has built-in SQL and FTP filtering to support this granular level of access control. It also controls remote program execution through DDM, RMTSRV, and REXEC.

Read more about SafeNet here.