Exit Programs and Swapping Group Profile..Help

Claris,

>I?m changing our security, all production data files will have *PUBLIC authority of *USE. Green Screen application will have access to the data by using the adopt authority.<<

By giving the production data files public *USE authority you are letting everyone access that data. This may not be your intention. If it is then the adopted authority will only be needed to update the data.

>We are using a PowerBuilder application to update files on the AS400 (V4R2). I would like to swap the group profile at the same time that the Server changes user Quser to the *current user. Can I do this??? Can I use an exit program to do this???? What Exit Point should I use??? <<

I have no experience with PowerBuilder but have lots of experience with the swap user profile APIs. When an application, such as PowerBuilder, swaps a user profile they swap both the user profile and all of its group profiles. Therefore you do not need to swap the group profiles.

>What happens if the job ends abnornally?? Will the handle be released???<<

Yes, the all profile handles are released when the job ends. Ed Fishel

Exit Programs and Swapping Group Profile..Help

Anyone can see the data and/or copy the data. I want to control the adding and changing of Data. I have a "SUPER" user which owns the data, this user will be the adopted authority. Since Server-type(Database using ODBC) jobs don't support adopt authority, I want to change the user's group profile to the "Super" user while they are running this application.

Exit Programs and Swapping Group Profile..Help

Starting in V4R5 (or possibly V4R4) a set of new APIs like qsysetegid()--Set Effective Group ID will allow you to swap just the group profile of a thread. This sounds like exactly what you are asking for, but to use any of these APIs for ODBC would require the use of an exit point in the ODBC job before any attempt to access the data. I do not know of any such exit point. Even if you found such an exit point you would probably need a second exit point to set the ODBC job back to its original state once the operation was complete for the user. (I suspect that ODBC jobs do not end but instead get reused for multiple ODBC requests and different users.) Ed Fishel

Exit Programs and Swapping Group Profile..Help

Claris, We've used this style of solution on other platforms so I'll toss it in as more a discussion point.

1. Define a specific Table for Application and User Switching.
2. Application prompts user for UserID and Password.
3. Application executes a stored procedure that will execute the switch. Pass in an Application ID to the stored procedure, have the stored procedure retrieve the current logged in ID and switch to the "super" profile defined in the table. (The switch should be a client based disconnect, and connect again using the retrieved application ID and password.)

This will block users from directly being able to update the data. Of course if they know what's happening under the covers they could use their own tools to do the same. However you can extend the verification function to have information encrypted, so the client application will decrypt. BTW Make sure you dont put this function into a DLL, otherwise some "smart" person will intercept. Again, take this as a suggestion I dont know how if there is anything the AS/400 does that makes this unworkable. HTH David

Exit Programs and Swapping Group Profile..Help

Ed & Claris, The qsysetegid api came out with version 4.5. On prior releases you can change the profile's group or supplemental group, swap, and reset the profile. You can make this safe against anything but pulling the plug between the change and reset. There are several exits for the IBM database server jobs where you can swap. You can find the exits by running wrkreginf. If you search on the exit point name in the info center documentation, you can find out when they are called. The server jobs are reused by default, you can change that by changing the prestart job attributes, but I wouldn't recommend it. If your exit always swaps or rejects requests, the biggest exposure I can come up with would be someone servicing the database server job and using debug? to do something evil. That evil person would have to have authority to the profile running the job or *SERVICE special authority. David Morris

Exit Programs and Swapping Group Profile..Help

David, I am aware of the trick to temporarily provide more authority by changing the current users profile to add a powerful group profile, swapping to the same current user again to make use of that authority, and then changing the current user profile back to what is was before. I do not recommend this solution because it can be unsafe. One problem is that if that same user happens to sign-on while their user profile is still set to use a powerful group profile then they will have all that authority for the duration of their job. Also, if you use this trick in an interactive job you need to prevent the use of the attention key and the system request key or the user may be able to use the extra authority. Ed Fishel

Exit Programs and Swapping Group Profile..Help

We use Exit profiles to swap User (not group) profiles in our package. I don't like the group profile swap for the same reasons that Ed mentioned... especially the fact that a group swap could be inheireted by another process that signs on at just the wrong time. One of the tricks to swapping is to remember that the exit program only gains control of the process at the front end of the transaction... If you swap there, you have to remeber to unswap before you execute the next transaction. Because many of the servers that you'll be using are prestart jobs, it's a good idea to take a snapshot of the original User at JobStart, and then refresh that user every time you re-enter the program. (To tie these two thought together, if UserA signs on at 8:07am and you swap their group to GroupZ, and then UserB signs on to the application at 8:20am - this would be your first opportunity to remove the supplemental group profile from UserA's profile. Between 8:07 and 8:20am any other job that UserA signs on with will have the added authority of GroupZ.... probably not what you want). Feel free to email me with any specific questions that you have. jte MC Security Editor johnearl@400security.com

Exit Programs and Swapping Group Profile..Help

The following is the job log of my prestart job (343815/QUSER/QZDASOINIT), the third line --Servicing user profile LZIESKE-- must be using the Security API's to swap the profile from QUSER to LZIESKE. Job 343815/QUSER/QZDASOINIT started on 01/12/00 at 09:40:03 in subsystem QSERVER in QSYS. Job entered system on 01/12/00 at 09:40:03. Servicing user profile LZIESKE. 500 - RTVJOBA USER(&USERID) 600 - RTVJOBA CURUSER(&USERID) I want to use the same Security API to change the group profile. My CL program would adopt a profile which has *SECADM and *ALLOBJ authority. The program would 1. Retrieve the user profile LZIESKE and user group AGENT 2. Change User LZIESKE's group profile to be "SUPER" 3. Call the QSYGETPH to get a profile handle for Profile LZIESKE 4. Change User LZIESKE's group profile back to AGENT 5. Call QWTSETP to set the profile handle for this job. My thinking is .... >>> USER profile LZIESKE will have "SUPER" group profile for just seconds >>> The QSYGETPH API will create a profile handle for the user with the group of "SUPER", and this handle will be used only in the job where it was created. >>> The QWTSETP API changes the job to run under the user and group profile represented by the profile hangle. comments please

Exit Programs and Swapping Group Profile..Help

John, Because the authority is based on the profile at time of swap, the window can be as short as 8:07 to 8:07 + the time it takes to do a chgusrprf. Once you swap the profile the first thing you need to do is change the group back. With a lock and by registering an exit the opportunity to exploit this is reduced to pulling the plug during the milliseconds between the profile change and restore. A startup routine could further minimize the risk but is not necessary in most cases. David Morris

Exit Programs and Swapping Group Profile..Help

Ed, You have to eliminate the risk yourself. I understand the attention concern, but if the profile is limit capability that should not be a concern. The other of system request is a non-problem, the person still has to sign on, unless you have changed the message IDs to allow more than display job access. Swapping a profile is not much different than swapping the group. With a profile swap you are placed in a bind. With a direct profile swap, you are relagated to single level authorities, or a more complex authority scheme relying on private authorities. Adopted authority is a much better solution when you can use it, but triggers, server jobs, and the IFS all present roadblocks to adoption. David Morris

Exit Programs and Swapping Group Profile..Help

David, I agree with you, but the fact remains that the risk of using this trick can rarely be completely eliminated. If your user has perfect timing, and they press the system request key in that window when the powerful group profile is still attached to their user profile, they can use option 2 (ENDRQS) to exit your program before the group profile has been changed back. I point this out so that people that want to use this trick can better asses the risk. I do recommend that anyone using this trick in a release before V4R5 change to use an API that swaps just the group profile when they move to V4R5. Using the API removes the risk because the user profile is not changed. Ed Fishel

Exit Programs and Swapping Group Profile..Help

Ed, I do agree that the solutions offered for V4R5 are better, but you can easily prevent a user from having access cancel or register a cancel handler (I used this approach). There are many other things that need to be considered, but you can certainly reduce the risk to such a small window that I truly believe that pulling the plug is the only opening. This last opening can certainly be eliminated in a signon program. When adoption will not work and you cannot get to V4R5, you do not have many choices, and I believe that a single program that can be vigorously tested and checked is much less likely to expose your system than a complex system of private authorities, profile swaps, and selective adoption. David Morris

Exit Programs and Swapping Group Profile..Help

David/Ed/John, I am interested and would like to understand more. Generally we have a requirement to allow a single ODBC application to access the data. Can you explain how the technique of swapping is able to distinguish between the "authorised" ODBC program and some general ODBC program or ODBC tool that is being used ? I would really like to be able to simplify our environment, but the swapping concept, as I read it, seems to be at an access level (i.e. It applies to all ODBC access requests) I'd appreciate your comments David

Exit Programs and Swapping Group Profile..Help

David, With ODBC, you get several pieces of information that could be used to secure access. I remember identifying five, but right now all I can think of are four. Those are the user, IP address, SQL statement, and library list. I know from your prior posts that you are interested in the highest level of security. For that reason, you might want to strictly regulate all of these items and reject anything that does not meet your authorization criteria. Ideally you would limit data access to applications. With ODBC it is pretty much impossible. The closest you can come is to limit the SQL statements that can be run. For most AS/400 installations, it is probably not worth trying to code exits and parse SQL statements, commercial packages like PowerLock or PentaSafe, will likely be less expensive than custom development. If you can determine that a fixed statement, IP address, user, and library list fit your needs, then building exits and swapping can be used. Swapping the base profile will only give you one level of authority. By swapping both the base and group/supplemental group, you can get multiple levels of authority and identify the user. Our base profile has no authority, which makes swapping the group a necessity. David Morris