[Info-vax] Restrict the use of SUBMIT/USER= to one particular user.
Paul Sture
nospam at sture.ch
Tue Nov 8 05:39:58 EST 2016
On 2016-11-08, Roy Omond <roy at omond.net> wrote:
> On 08/11/16 09:02, Joe wrote:
>> On Monday, November 7, 2016 at 3:13:25 PM UTC+1, Bob Gezelter wrote:
>>> Joe,
>>>
>>> Create a separate image that does the actual SUBMIT. That image is
>>> installed with the CMKRNL privilege.
>>>
>>> Thus, when the user invokes that image, they are able to do the
>>> SUBMIT/USER, but not otherwise. When I did this a while back for a
>>> client, I also imposed the requirement that the privileged program
>>> checked to see if the user held a Rights Identifier related to the
>>> Username that was being submitted. For additional security, protect
>>> the privileged image so that the User cannot even access it unless
>>> they hold a specific Rights Identifier.
>>>
>>> That protection scheme should satisfy most auditors.
>>>
>>> - Bob Gezelter, http://www.rlgsc.com
>>
>> Many Thanks Bob and everyone for your inputs.
>> I will try to create an image and install it with CMKRNL and then
>> protect it with ACL's.
>
> A quick-n-easy way to start would be to copy SUBMIT.EXE to, say,
> XUBMIT.EXE, and add a suitable entry (use VERB to get the current SUBMIT
> command language definition, and edit accordingly) to
> DCLTABLES. Appropriate security setting can then be added to
> the image file (e.g. AUDIT entries for successful access etc. etc.)
>
I like that one. It does need to be documented well and in an obvious
place, or a few years down the line we get into "We've lost the sources
to XUBMIT.EXE".
--
Everyday life is increasingly complex. Picking up the phone and
dialling a number became finding the phone, swiping sideways,
entering a password, opening the phone app, selecting the dialpad,
dialling and then hitting send. -- Trevor Pott
More information about the Info-vax
mailing list