23
Mon, Dec
1 New Articles

Security Patrol

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times
In This Edition:

  • Disable Qxxxxx User Profiles?

  • Using Swap Profile API QWTSETP

  • Silent STRCPYSCN?

  • Command Access

Disable Qxxxxx User Profiles?
Q: We have noticed that we have a bunch of "Q" user profiles on our systems. We would like to know which would be the ones that it might be OK to disable.

A: I would not disable any of the IBM profiles that come shipped with OS/400, but not every "Q" profile is guaranteed to be an IBM profile. Here is a method of determining which are legitimate.

First, look in OS/400 Security Reference Manual?V4R4 (SC41-5302-03, QB3ALC03). Appendix B has a list of all the user profiles that IBM ships with OS/400. Not every profile that is listed in the manual may be on your system?it depends on which Licensed Program Products (LPPs) you have installed?but this is a good starting point.

Second, view all of the Q* user profiles on your system using the Work with User Profiles (WRKUSRPRF Q*) command. Review this list and compare it to the user profiles that are listed in Appendix B. On my V5R1 system, I have 44 IBM profiles that were loaded when I installed the operating system (See Figure 1.)

QAUTPROFIBM-supplied User Profile
QBRMSIBM-supplied User Profile
QCLUMGTIBM-supplied User Profile
QCLUSTERIBM-supplied User Profile
QCOLSRVIBM-supplied User Profile
QDBSHRInternal Data Base User Profile
QDBSHRDOInternal DataBaseUser Profile
QDFTOWNDefault Owner for System Objects
QDIRSRVOS/400 Directory Services Server User Profile
QDLFMIBM-supplied User Profile
QDOCInternal Document User Profile
QDSNXIBM-supplied UserProfile
QEJBIBM-supplied User Profile
QFNCIBM-supplied User Profile
QGATEIBM-supplied UserProfile
QIPPIBM-supplied User Profile
QLPAUTOIBM-supplied User Profile
QLPINSTALLIBM-supplied UserProfile
QMSFMail Server Framework Profile
QNETSPLFInternal Spool Network Profile
QNETWAREQFPNTWEUserProfile
QNFSANONIBM-supplied User Profile
QNTPIBM-supplied User Profile
QPGMRProgrammer and Batch User
QPM400IBM-supplied User Profile
QRJEIBM-supplied UserProfile
QSECOFRSecurity Officer
QSNADSIBM-supplied User Profile
QSPL Internal Spool UserProfile
QSPLJOB Internal Spool User Profile
QSRV Service User Profile
QSRVBAS Basic Service UserProfile
QSYS Internal System User Profile
QSYSOPR System Operator
QTCM IBM-supplied UserProfile
QTCP Internal TCP/IP User Profile
QTFTP IBM-supplied User Profile
QTMHHTP1 HTTP Server CGIUser Profile
QTMHHTTP HTTP Server User Profile
QTMPLPD Allow Remote LPR Requesters
QTMTWSG 5250 HTMLtation Gateway Profile
QTSTRQS Test Request User Profile
QUSER Work Station User
QYPSJSVRIBM-supplied User Profile
Figure 1: Numerous IBM Profiles are shipped with V5R1.

Third, just to verify the results the earlier steps, you can do a Display Object Description (DSPOBJD) on each of these profiles to see when and where it was created. If the profile object was created on system "00000000" by user *IBM, it's a pretty good bet that it is a legitimate IBM user profile. On my V5R1 system, only three user profiles didn't fit this description: QNETWARE, QTMPLPD, and QTMTWSG. However, all three of these profiles were created on my system by the user QLPINSTALL and their creation times matched the date and time that my V5R1 operating system was installed.

I wouldn't recommend that you disable any IBM profiles. A better idea would be to simply set their passwords to *NONE so that these profiles do not have the ability to sign on. When you attempt to change the passwords, you will find that only 11 of the 44 profiles listed in Figure 1 will actually allow you to change them. Those profiles are listed below:

  • QBRMS
  • QEJB
  • QNETWARE
  • QPGMR
  • QRJE
  • QSECOFR
  • QSRV
  • QSRVBAS
  • QSYSOPR
  • QTMHHTTP
  • QTMPLPD
  • QTMTWSG
  • QUSER

Of the profiles listed, only QSECOFR is shipped with an active password (QSECOFR). All other profiles are shipped from the factory with a password of *NONE. The truly paranoid among us might change all of these profiles to password of *NONE (except QSECOFR?you'll need that one), but this would only be necessary if you were concerned that some of these profiles had been tampered with.

Using Swap Profile API QWTSETP

Q: On my system there are many instances of the prestart job named QZDASOINIT. My understanding of this job is that it sits and waits for an incoming ODBC request, and then it swaps the authority of the job from the current user (QUSER) to the user who is requesting data. Only then is the query executed and the data request served. After the data request completes, the QZDASOINIT job waits for another data request, which could come from the same user or some other user of the system. Therefore, one QZDASOINIT job could service numerous users throughout the course of the day.

I am using the QSYGETPH and QWTSETP APIs to retrieve a profile handle and swap active users. I understand that the profile handle is temporary and can be used only in the job that created it. But when I create a user profile handle to swap to, how will I know which user I have created a handle for? Also, will the profile handle expire when the servicing user xxxxxxx job is ended, or will the profile handle stay active until the QZDASOINIT job is ended?

I plan to use Release Profile Handle API (QSYRLSPH) at the end of the routine, but I am concerned about what may happen if a job ends abnormally or if the user turns the PC off.

A: When you call the QSYGETPH API, you must supply the name of a user profile that you want to swap to. So the answer to the question of which user the profile handle will be generated for depends on which user profile name you feed into the API. You have a couple of choices as to which user profile you request. When your program prepares to swap, it will probably want to look at the current job to determine who to swap to. You should look at the parameter for current user rather than the traditional user parameter. The current user parameter was added to the job information structure specifically so that you can distinguish between the user profile that the job started under (the traditional user parameter) and the user profile who the job is currently active for (current user). After swapping profiles with the QWTSETP profile, the profile that you have swapped to becomes the current user.

You'll notice that the IBM portion of the QZDASOINIT jobs does some swapping of its own. When this job starts, it is running under the profile QUSER. If you were to watch the audit journal for these ODBC jobs, you would notice that, as soon as they start, the QZDASOINIT job swaps from user QUSER (the default IBM user for QZDASOINIT jobs) to the user who made the ODBC request. After this swap is done, the exit program is called and you have the opportunity to swap yet again to a profile of your own choosing.

But I have a couple of words of caution. First, the QSYRLSPH API does not undo the swapping. It just releases the profile handle and invalidates it for future use (which is a good thing), but the user profile that was set by the QWTSETP API is still the active user. In order to clean up after yourself and not leave inappropriate levels of authority lying around, you'll have to use the QSYGETPH and QWTSETP APIs to swap back to the original user at some point.

This brings me to the second concern. Your exit program will only be called on the way into the ODBC request, not on the way back out. Unless specifically noted to the contrary, an exit program is called at the beginning of a process only. When the exit program completes, control is returned to the IBM process and your exit program is completely out of the picture. This means that once you have swapped to an alternate user, you will not be given an opportunity to swap back until the next time the exit program is called. In this example, your exit program would not get called again until the next ODBC request was routed through this particular occurrence of the QZDASOINIT job. To prevent subsequent users from running under the authority of the previous user, instruct your exit program to always save and swap back to its original user when the program is first activated. This will clean up any old authorities that may have been lying around and gives you a clean start with each call.

Silent STRCPYSCN?
Q: I'm trying to conduct a subtle investigation into what a certain high-powered profile is being used for. A lot of the functions performed under this profile involve high-level functions that are hard to distill from the job log. Instead, I would like to perform a Start Copy Screen (STRCPYSCN) on this user's profile. I don't want the user to know this is happening. The problem is that STRCPYSCN sends a break message to the workstation message queue asking for permission to begin the copy screen.

A: Have you considered using user profile auditing to track this user's actions? User profile auditing is easy to set up and will track this user's access to files and programs as you dictate. It has the added benefit of being asynchronous so that you don't have to "catch" anyone in the act; you can just review the logs at a later date. This makes it more comprehensive than STRCPYSCN because it is on duty 24 hours a day.

User profile auditing will also write its details to the IBM Security Auditing Journal (QAUDJRN), so if there is a dispute about what was (or was not) done, the journal can be referenced to get an accurate version of history. The great thing about journals on the iSeries is that they don't lie. They're a write-only object whose contents cannot be modified by users or security officers. If you saw illicit activity during a STRCPYSCN session, it could be your word against theirs. If you've got journal entries that demonstrate that activity, then you have some pretty solid evidence. Just a word of caution though: If you suspect someone of criminal fraud, you should consult a security forensics expert to capture data that may be needed later as evidence.

Command Access
Q: I'd like to know what commands users can execute if their profile parameter for Limited Capability (LMTCPB) is set to *YES. Is their any way to get a list of all of these commands on my system?

A: Limited Capability *YES is designed to restrict a user's ability to execute most commands at an OS/400 command line. By default, most IBM commands are restricted from access by a limited capability user. This limitation is recorded in the command object itself and not through the traditional object authorities that appear on every OS/400 object. If you execute a Display Command (DSPCMD) command for the Work with Active Job (WRKACTJOB) command, you'll see that the parameter for Allow Limited Users (ALWLMTUSR) is set to *NO. This means that a limited capability user is not allowed to execute this command. Contrast that with the Sign Off (SIGNOFF) command, and you'll see that the ALWLMTUSR parameter is set to *YES. (This makes sense; you always want a user to be able to sign off.)

Below I've listed the eight IBM commands that come shipped with the Allow Limited Capability parameter set to *YES:

  • DSPJOBLOG
  • DSPMSG
  • SIGNOFF
  • SNDMSG
  • STRPCO
  • WRKENVVAR
  • WRKMSG
  • DSPJOB

This may be the complete list of commands allowed to these users because you (or your third-party application vendors) may have created additional commands that allow limited capability users to execute them.

A word of caution on the LMTCPB parameter, however: As I wrote in the Midrange Computing December 2000 "Security Patrol" column, the LMTCPB parameter is not honored by DDM and Client Access remote commands and therefore cannot be solely relied on to prevent users from entering commands on your system. Refer to the December issue for more information.

John Earl is chief technology officer for the PowerTech Group in Kent, Washington. If you've got a security question or problem, email it to John at This email address is being protected from spambots. You need JavaScript enabled to view it..

References and Related Materials
OS/400 Security Reference Manual?V4R4 (SC41-5302-03, QB3ALC03)

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: