85 lines
5.5 KiB
HTML
85 lines
5.5 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
||
<!DOCTYPE html
|
||
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
<html lang="en-us" xml:lang="en-us">
|
||
<head>
|
||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
<meta name="security" content="public" />
|
||
<meta name="Robots" content="index,follow" />
|
||
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
<meta name="DC.Type" content="concept" />
|
||
<meta name="DC.Title" content="Prevent new programs from using adopted authority" />
|
||
<meta name="abstract" content="The passing of adopted authority to programs located later in the stack provides an opportunity for a knowledgeable programmer to create a Trojan horse program." />
|
||
<meta name="description" content="The passing of adopted authority to programs located later in the stack provides an opportunity for a knowledgeable programmer to create a Trojan horse program." />
|
||
<meta name="DC.Relation" scheme="URI" content="rzamvdevelopintrusiondetectstrat.htm" />
|
||
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
||
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
||
<meta name="DC.Format" content="XHTML" />
|
||
<meta name="DC.Identifier" content="preventadoptedauthuse" />
|
||
<meta name="DC.Language" content="en-us" />
|
||
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
<!-- US Government Users Restricted Rights -->
|
||
<!-- Use, duplication or disclosure restricted by -->
|
||
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
<title>Prevent new programs from using adopted authority</title>
|
||
</head>
|
||
<body id="preventadoptedauthuse"><a name="preventadoptedauthuse"><!-- --></a>
|
||
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
<h1 class="topictitle1">Prevent new programs from using adopted authority</h1>
|
||
<div><p>The passing of adopted authority to programs located later in the
|
||
stack provides an opportunity for a knowledgeable programmer to create a Trojan
|
||
horse program.</p>
|
||
<p>The Trojan horse program can rely on previous programs in the stack to
|
||
get the authority that it needs to perform mischief. To prevent this, you
|
||
can limit which users are allowed to create programs that use the adopted
|
||
authority of previous programs. </p>
|
||
<p>When you create a new program, the system automatically sets the USEADPAUT
|
||
parameter to *YES. If you do not want the program to inherit adopted authority,
|
||
you must use the Change Program (CHGPGM) command or the Change Service Program
|
||
(CHGSRVPGM) to set the USEADPAUT parameter to *NO. </p>
|
||
<p>You can use an authorization list and the use adopted authority (QUSEADPAUT)
|
||
system value to control who can create programs that inherit adopted authority.
|
||
When you specify an authorization list name in the QUSEADPAUT system value,
|
||
the system uses this authorization list to determine how to create new programs. </p>
|
||
<p>When a user creates a program or service program, the system checks the
|
||
user’s authority to the authorization list. If the user has *USE authority,
|
||
the USEADPAUT parameter for the new program is set to *YES. If the user does
|
||
not have *USE authority, the USEADPAUT parameter is set to *NO. The user’s
|
||
authority to the authorization list cannot come from adopted authority. </p>
|
||
<div class="p">The authorization list that you specify in the QUSEADPAUT system value
|
||
also controls whether a user can use a CHGxxx command to set the USEADPAUT
|
||
value for a program or a service program. <div class="note"><span class="notetitle">Note:</span> <ol><li>You do not need to call your authorization list QUESADPAUT. You can create
|
||
an authority list with a different name. Then specify that authorization list
|
||
for the QUSEADPAUT system value. In the commands in this example, substitute
|
||
the name of your authorization list. </li>
|
||
<li>The QUSEADPAUT system value does not affect existing programs on your
|
||
system. Use the CGHPGM command or the CHGSRVPGM command to set the USEADPAUT
|
||
parameter for existing programs.</li>
|
||
</ol>
|
||
</div>
|
||
</div>
|
||
<div class="p"> In a More Restrictive Environment: If you want most users to create new
|
||
programs with the USEADPAUT parameter set to *NO, do the following: <ol><li>1. To set the public authority for the authorization list to *EXCLUDE,
|
||
type the following: CHGAUTLE AUTL(QUSEADPAUT) USER(*PUBLIC) AUT(*EXCLUDE) </li>
|
||
<li>2. To set up specific users to create programs that use the adopted authority
|
||
of previous programs, type the following: ADDAUTLE AUTL(QUSEADPAUT) USER(user-name)
|
||
AUT(*USE) </li>
|
||
</ol>
|
||
</div>
|
||
<div class="p">In a Less Restrictive Environment: If you want most users
|
||
to create new programs with the USEADPAUT parameter set to *YES, do the following: <ol><li>1. Leave the public authority for the authorization list set to *USE.</li>
|
||
<li> 2. To prevent specific users from creating programs that use the adopted
|
||
authority of previous programs, type the following: ADDAUTLE AUTL(QUSEADPAUT)
|
||
USER(user-name) AUT(*EXCLUDE)</li>
|
||
</ol>
|
||
</div>
|
||
</div>
|
||
<div>
|
||
<div class="familylinks">
|
||
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvdevelopintrusiondetectstrat.htm" title="The following information is a collection of tips to help you detect potential security exposures.">Prevent and detect security exposures</a></div>
|
||
</div>
|
||
</div>
|
||
</body>
|
||
</html> |