Prevent new programs from using adopted authority

The passing of adopted authority to programs located later in the stack provides an opportunity for a knowledgeable programmer to create a Trojan horse program.

The Trojan horse program can rely on previous programs in the stack to get the authority that it needs to perform mischief. To prevent this, you can limit which users are allowed to create programs that use the adopted authority of previous programs.

When you create a new program, the system automatically sets the USEADPAUT parameter to *YES. If you do not want the program to inherit adopted authority, you must use the Change Program (CHGPGM) command or the Change Service Program (CHGSRVPGM) to set the USEADPAUT parameter to *NO.

You can use an authorization list and the use adopted authority (QUSEADPAUT) system value to control who can create programs that inherit adopted authority. When you specify an authorization list name in the QUSEADPAUT system value, the system uses this authorization list to determine how to create new programs.

When a user creates a program or service program, the system checks the user’s authority to the authorization list. If the user has *USE authority, the USEADPAUT parameter for the new program is set to *YES. If the user does not have *USE authority, the USEADPAUT parameter is set to *NO. The user’s authority to the authorization list cannot come from adopted authority.

The authorization list that you specify in the QUSEADPAUT system value also controls whether a user can use a CHGxxx command to set the USEADPAUT value for a program or a service program.
Note:
  1. You do not need to call your authorization list QUESADPAUT. You can create an authority list with a different name. Then specify that authorization list for the QUSEADPAUT system value. In the commands in this example, substitute the name of your authorization list.
  2. The QUSEADPAUT system value does not affect existing programs on your system. Use the CGHPGM command or the CHGSRVPGM command to set the USEADPAUT parameter for existing programs.
In a More Restrictive Environment: If you want most users to create new programs with the USEADPAUT parameter set to *NO, do the following:
  1. 1. To set the public authority for the authorization list to *EXCLUDE, type the following: CHGAUTLE AUTL(QUSEADPAUT) USER(*PUBLIC) AUT(*EXCLUDE)
  2. 2. To set up specific users to create programs that use the adopted authority of previous programs, type the following: ADDAUTLE AUTL(QUSEADPAUT) USER(user-name) AUT(*USE)
In a Less Restrictive Environment: If you want most users to create new programs with the USEADPAUT parameter set to *YES, do the following:
  1. 1. Leave the public authority for the authorization list set to *USE.
  2. 2. To prevent specific users from creating programs that use the adopted authority of previous programs, type the following: ADDAUTLE AUTL(QUSEADPAUT) USER(user-name) AUT(*EXCLUDE)
Parent topic: Prevent and detect security exposures