Gotcha! User Profiles with Limited Capability

IBM i (OS/400, i5/OS)
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

There is a serious security risk that, as far as I can see, is not documented in the Security Concepts and Planning manual, regarding the LMTCPB(*YES) setting - that is, limiting the capabilities of users.

When LMTCPB(*YES) is specified for a user profile, the user will not be able to execute any OS/400 commands manually except for the following five:

Display Message (DSPMSG) Send Message (SNDMSG) Sign Off (SIGNOFF) Display Job (DSPJOB) Display Job Log (DSPJOBLOG)

To accomplish this, IBM has apparently placed some code in the standard menu driver program so that only these five commands are acceptable. Unfortunately, they forgot to do the same in the Command Entry screen (program QSYS/QCMD) - even if the user has limited capabilities, he or she will be able to run any OS/400 command provided that authority has not been specifically revoked.

So, do not set QCMD/QSYS as the attention-key handling program on users that should have limited capabilities, or your entire security system could be breached. Do not call this program from any other programs that may be executed by limited-capability users, either. Ignoring this warning could result in users deleting database files or entire libraries from the Command Entry program!

- Ernie Malaga