coffee with carol cutting through ibm i security confusion

© HelpSystems. All Rights Reserved.12/28/2015 1

Cutting Through IBM i

Security Confusion

Carol WoodburyVP of Global Security

Services


Meet Your Presenter

HOST & PRESENTER: Carol Woodbury

VP of Global Security Services


Topic: Cutting Through IBM iSecurity ConfusionABSTRACT: Security expert Carol Woodbury gets tons of questions about IBM i security, including straight-forward questions about security concepts.But some questions address the more obscure features and functions of IBM i security:

• What’s the difference between profile swap and program adopt?• In what order does the system check authority?• How can you use attributes of the output queue to avoid granting

users *SPLCTL authority?

In this session, Carol will answer these and other questions about the most confusing aspects of IBM i security. Join us for information that will useful for both beginners and veterans.

© HelpSystems. All Rights Reserved.

.

12/28/2015 4

Program Adopt


Adopted authority

• Used to temporarily give authority

• When a program with USRPRF(*OWNER) runs, the

authority in effect is the user plus the owner of the program

• Both special authorities and private authorities are adopted

(the program owner’s groups are not included)

• Additional authority is in effect for as long as the program is

in the call stack


How can I tell whether a program adopts?


Adopted authority example #1

PGM_AOwner: APP_OWNERUser Profile: *USER

PGM_BOwner: APP_OWNERUser Profile: *OWNER

PGM_COwner: QSECOFRUser Profile: *OWNER

CJW

CJW then APP_OWNER

CJW then APP_OWNER then QSECOFR

Program Call Stack Authorities Checked



PGM_AOwner: APP_OWNERUser Profile: *OWNER

PGM_BOwner: QSECOFRUser Profile: *OWNER

PGM_DOwner: APP_OWNERUse Adopted Authority: *NOUser Profile: *USER

CJW then APP_OWNER


Only CJW




PGM_AOwner: APP_OWNERUser Profile: *OWNER

PGM_BOwner: QSECOFRUser Profile: *OWNER

PGM_cmdlineOwner: APP_OWNERUse Adopted Authority: *NOUser Profile: *USER

CJW then APP_OWNER


Only CJW



Adopted authority limitations

• Stack-based – when program is active, adopted authority is

available.

• Adopted authority is dropped when submitting a job or

running a remote command or using FTP, etc

• Adopted authority is ignored by the IFS (can’t use adopted

authority to gain access to a directory or file in a directory)


Power of adopted authority

• Ensure a menu-based application continues to have

sufficient authority when setting the files to *PUBLIC

*EXCLUDE

– Do you not have to adopt an *ALLOBJ profile

• Provide authority for single-purpose utilities

– Reset user profile passwords and status

– Enable devices

• Clearly never want the adopted authority of a powerful

profile (a profile with *ALLOBJ) to flow out to a command

line!


Authority Search Order

*ALLOBJPrivate

Authorization List

*ALLOBJPrimary Group

PrivateAuthorization List

Object orAuthorization List

Adopted

Stops when ANY authority is found

Repeats for each group until sufficient authority is accumulated or no more groups

Checked when no authority is found for User or Group(s)

Checked when authority is not sufficient – runs the User portion of the algorithm for the program owner

USER

GROUP(S)

*PUBLIC


.

12/28/2015 13

Profile Swap


Profile swap

• Profile under which the process is running is changed.

Profile swap

Groups: MGR1, ACCTGSpcaut: *NONELimit cap: *YESAuditing: *JOBBAS

Groups: SALES, MKTGSpcaut: *JOBCTLLimit cap: *PARTIALAuditing: *CMD

075220/CJW/QPADEV000B 075220/CJW/QPADEV000B


Often used for server or prestart jobs

• Job is started as an IBM-supplied profile, when request

comes in, swaps to the requestor


Used to elevate privileges

• One of the options provided by vendors to elevate

privileges


Profile swap APIs

• Requires you to know the password or have *USE to the

profile to obtain a handle.

– A profile handle is only valid within the job that requested it

• Variations:

– Profile token – can pass between programs

– SETGID – only swaps the first group

– SETUID – only swaps the user – group(s) remain


Where to look in audit journal entries

• Two user profile fields in the header of each audit journal

entry

• xxUSER is the Job user

• xxUSPF is the Current user


Comparing Adopted authority and

Profile Swap

Adopted authority Profile swap

Attribute of a program Invoked via APIs

Available for as long as the program that’s adopting is in the call stack

Available unless/until the profile is swapped back to the original

Current user stays the same Current user is changed

Can always examine the Current user (xxUSPF) field in the audit entry

May need to look in the Current user (xxUSPF) field or the Job user (xxUSER) field of the audit entry depending on how the swap occurred

Program owner’s group(s) authority is not available

Profile’s groups are also swapped in

Limited capability is not adopted Limited capability is swapped in

Ignored by the IFS Can be used to access objects in the IFS

Spooled files owned by current user Spooled files owned by swapped to user


.

12/28/2015 20

Controlling Access to Printed Output


Special

Authority

Definition

*AUDIT Auditing configuration

*IOSYSCFG Communications configuration and mgmt

*JOBCTL Mgmt of any job on the system

*SAVSYS Ability to save and restore any object on the system – or the entire

system regardless of authority to the object

*SECADM Create/Change/Delete user profiles

*SERVICE Ability to use Service Tools

*SPLCTL Access to every spooled file on the system regardless of

authority to the outq

*ALLOBJ Access to EVERY object on the system. It is not possible to

prevent an *ALLOBJ user from accessing an object.

Special authorities


Factors that affect spool file security

• Special authorities

– *SPLCTL

– *JOBCTL

• Users’ authority to the outq itself

• Attributes of the outq

– Display data

– Authority check

– Operator control


Special authorities

• *SPLCTL

– Equivalent of *ALLOBJ for spooled files

– Cannot prevent someone with *SPLCTL from seeing any

spooled file on the system

• *JOBCTL

– If the OPRCTL attribute of outq is *YES (default) then

• Anyone with *JOBCTL can:

– Hold, change, delete, release the outq

– CHGOUTQ, CLROUTQ, HLDOUTQ, RLSOUTQ, STRPRTWTR, STRRMTWTR

– *JOBCTL and OPRCTL(*YES) allows management of the outq

itself but not the contents


Who can see the output – Display Data

(DSPDTA)• Controls who can run:

– Display Spooled File (DSPSPLF)

– Copy Spooled File (CPYSPLF)

– Send Spooled File (SNDNETSPLF)

– Change Spooled File Attributes (CHGSPLFA) to move the spooled file between outqs

• If DSPDTA = *NO (default) then one of the following must be trueto be able to display, send, or copy a spooled file owned by someone else: – OPRCTL is *YES, and user has *JOBCTL special authority

– AUTCHK is *DTAAUT and user has *CHANGE authority to outq

– AUTCHK *OWNER, and user trying to perform operation owns the outq

• If DSPDTA =*YES then– Users with *READ to the output queue can display, copy, or send a spooled file

owned by someone else.

– Remember *PUBLIC defaults to *CHANGE

• If DSPDTA = *OWNER then – Only the owner of the spooled file (or a user with *SPLCTL special authority) can

display, copy, send or move the file.

– If OPRCTL is *YES and the user has *JOBCTL, the user can manage the outq but not display the contents


Who can manage others’ spooled files

– Authority Check (AUTCHK)

• Controls who can run:

– Change Spooled File Attributes (CHGSPLFA)

– Delete Spooled File (DLTSPLF)

– Hold Spooled File (HLDSPLF)

– Release Spooled File (RLSSPLF)

– Change Output Queue (CHGOUTQ)

– Clear Output Queue (CLROUTQ)

– Hold Output Queue (HLDOUTQ)

– Release Output Queue (RLSOUTQ)

• If AUTCHK = *OWNER (default) then

– Only the owner of the outq can manage the spooled files of others

• If AUTCHK = *DTAAUT then

– Users with *READ, *ADD, and *DLT authority (or *CHANGE authority) to the

outq can manage spooled files owned by others.


Scenario 1

• HR Department prints reports with salary information. Only

the users in the HR Department should be able to see these

reports and manage how and when they're printed. Create

the outq with the following attributes:

CRTOUTQ OUTQ(HR_LIB/HR_OUTQ) DSPDTA(*YES)

OPRCTL(*NO) + AUTCHK(*OWNER) AUT(*EXCLUDE)

• Have the HR group own the outq so they can manage the

spooled files as well as start the writer to print the

documents.

CHGOBJOWN OBJ(HR_LIB/HR_OUTQ) OBJTYP(*OUTQ) +

NEWOWN(HR_GROUP)


Scenario 2

• Accounting Department prints confidential reports, but the

operators need to manage the spooled files and route them

to the writer loaded with the appropriate form. Create the

outq with the following attributes:

– CRTOUTQ OUTQ(ACCT_LIB/ACCT_OUTQ) DSPDTA(*OWNER) +

OPRCTL(*YES) AUTCHK(*OWNER) AUT(*EXCLUDE)

• Grant authority to Accounting so they can use the outq:

– GRTOBJAUT OBJ(ACCT_LIB/ACCT_OUTQ) OBJTYP(*OUTQ) +

USER(ACCT_GRP) AUT(*CHANGE)


Summary - leaving everything at the defaults

• Default settings

– DSPDTA(*NO)

– AUTCHK(*OWNER)

– OPRCTL(*YES)—

• Users with *JOBCTL can manage (start and stop) all writers

and spooled files (hold, release, etc.)

• Users who do not have *JOBCTL will only be able to see

and manage their own spooled files.

• Users with *SPLCTL can see all output and manage all

writers regardless of the outq settings.


General points

• Can always manage the spooled files you created

• Authorities on the queue apply to all spooled files in the

queue

– Cannot change the authority of a specific spooled file

• Spooled files are always owned by the profile creating the

spooled file

– Cannot change the ownership of an individual spooled file


IBM i Security Reference, Chapter 6


IBM i Security Reference, Appendix D


.

12/28/2015 32

Application Administration


Application Administration

• App Admin was created to provide a method of controlling

access to a function

• Can control access to features of i Navigator, Navigator for

i, i Access and functions on IBM i, including network access

such as ftp and ODBC

• You can create your own functions, register and control

them as well


Mask i Navigator options


Users can only see Basic Operations


i Navigator view – non-*ALLOBJ user


Customize access


Customize access – con’t


Access customized


Copy customization


Copy customization – con’t


Masking i Access features


Controlling IBM i functions


Allow users with *JOBCTL to view

*ALLOBJ joblogs


Controlling network access

Hint: TOOLBOX APPLICATION SERVER ACCESS = ODBC and JDBC


Controlling ODBC / JDBC

Available in V7R1 and PTFed to V6R1


App Admin in Navigator for i


Audit entry - GR

Once the App Admin configuration has been changed,

GR audit journal entries will be generated.

• *CHKUSAGE:

– Function usage was checked for a user and the check passed

• *USAGEFAILURE:

– Function usage was checked for a user and the check failed


WRKFCNUSG


Function Usage APIs

Add function checks to your own applications

http://publib.boulder.ibm.com/eserver/ibmi.htmlAPIs -> Security -> User function registration APIs

http://publib.boulder.ibm.com/eserver/ibmi.html


Questions?

www.helpsystems.com

www.helpsystems.com/professional-security-services

800-328-1000 | [email protected]

http://www.helpsystems.com/

http://www.helpsystems.com/professional-security-services


Thank you for joining me!

HOST & PRESENTER: Carol Woodbury

VP of Global Security Services

coffee with carol cutting through ibm i security confusion

Software