[Info-vax] Restrict the use of SUBMIT/USER= to one particular user.
Kerry Main
kemain.nospam at gmail.com
Mon Nov 7 09:21:40 EST 2016
> -----Original Message-----
> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf
> Of abrsvc via Info-vax
> Sent: 07-Nov-16 8:50 AM
> To: info-vax at rbnsn.com
> Cc: abrsvc <dansabrservices at yahoo.com>
> Subject: Re: [Info-vax] Restrict the use of SUBMIT/USER= to one
> particular user.
>
> > Generically - From a security audit perspective, submitting
jobs
> using
> > a generic user account would likely fall into the same bad
> practice
> > category as allowing multiple users to log into a generic
> username
> > account.
> >
> >
> I would agree, but at least with using this account some of the
> "data" sent along can include the sending process ID. Also,
this
> batch job can log all of its activity. I would think that this
method
> is MUCH more secure than providing CMKRNL to just about all
> users.
>
> Dan
>
Granted - Submit/user does require CMKRL priv. and while less
secure, this approach is likely an easier workaround than
changing the existing job code.
Just to clarify - was CMKRNL required to execute the job itself
or simply to be able to execute the "submit/user" command?
If not required for the job itself, them imho, the better
approach would be to update the job logic.
Regards,
Kerry Main
Kerry dot main at starkgaming dot com
More information about the Info-vax
mailing list