26
Fri, Apr
1 New Articles
  1. You are here:  
  2. Home
  3. Security
  4. IBM i (OS/400, i5/OS)
  5. Watch Out for *LIBCRTAUT

Watch Out for *LIBCRTAUT

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Left to its own devices, your AS/400 may be giving users too much authority.

Whether you know it or not, you make use of the special value *LIBCRTAUT every time you create an object. *LIBCRTAUT is the default public authority assigned to an object at creation time. It is based on parameters specified when the library is created. As a result, you may be giving the public more authority to an object than you intend. The command prompter doesn't reveal *LIBCRTAUT for create commands under normal circumstances. But it's there if you press F10 and look at the AUT parameter.

Since the AUT parameter doesn't show up unless you press F10, you may have concluded that the *LIBCRTAUT value given as default is adequate in all cases. This may be true, but only if you understand precisely what you are giving away.

Library Security

In the early days of OS/400, you had to specify the public authority for an object at the time the object was created. For instance, when you compiled a program object, the AUT parameter of the CRTxxxPGM command would have a value such as *USE. This meant that the program being created had a public authority of *USE (all users would be allowed to run the program unless they were specifically excluded). For more information about public authority, see "Organizing Users with Group Profiles," MC, April 1993.

Recently, OS/400 added an attribute to the *LIB (library) object type, which specifies the default authority to give the public when an object is created in the library. This is the attribute which determines the authority given by *LIBCRTAUT. In turn, it is controlled by the CRTAUT (create authority) parameter of the Create Library (CRTLIB) or Change Library (CHGLIB) commands.

In other words, if you create or change library MYLIB and specify CRTAUT(*USE), all objects created from then on within MYLIB will have a default public authority of *USE, allowing users to read its files and run its programs and commands.

1 depicts the process of assigning public authority to a CL program at the moment of creation using the default. As you can see, special value *LIBCRTAUT is responsible for assigning *CHANGE authority to the public.

Figure 1 depicts the process of assigning public authority to a CL program at the moment of creation using the default. As you can see, special value *LIBCRTAUT is responsible for assigning *CHANGE authority to the public.

Overriding Library Security

A security scheme as simple as that would be too inflexible, however. Imagine if you were forced to give the same public authority to all objects in a library-it would create quite a nightmare. Therefore, each CRTxxx command contains an AUT (authority) parameter where you can specify the public authority for the object being created.

This parameter defaults to *LIBCRTAUT (wouldn't you know it), meaning that, unless you override it, the newly created object will have the public authority specified at the library level. You can, of course, override it with other values such as *ALL or *CHANGE-or even an authorization list name.

System Value QCRTAUT

It seems, therefore, that all depends on the value of the CRTAUT parameter during library creation or change. This parameter has a default value: *SYSVAL. When CRTAUT(*SYSVAL) is specified in the library, the value for the CRTAUT is obtained from system value QCRTAUT. As IBM ships AS/400s, QCRTAUT has a value of *CHANGE.

You can check the value of QCRTAUT with the Display System Value (DSPSYSVAL) command or by selecting option 5 from the panel presented by the Work with System Values (WRKSYSVAL) command. You can then change its value with the Change System Value (CHGSYSVAL) command or by selecting option 2 from WRKSYSVAL.

Implications

Let's pause for a minute to recap what you've learned. System value QCRTAUT has a value of *CHANGE (unless you've changed it). When you created library MYLIB, the CRTAUT parameter had a default value of *SYSVAL. This means that the objects you create in MYLIB will have a public authority of *CHANGE unless you specify otherwise.

You may have been creating hundreds of objects in your libraries, giving all users *CHANGE authority without knowing it. If you create a file, *CHANGE gives the public (any user) sufficient authority to add, change or delete records, read the file and open it with any program, Query program, or SQL. If you create a program, *CHANGE is enough to run the program. Ditto commands. Is this what you want?

Probably not. That's why it's so important to understand the meaning of *LIBCRTAUT-you may have created a security risk without knowing it.

Fixing the Mess-If You Have One

If you find that you have a problem on your hands, take heart. The remedy is pretty simple, although tedious. You have to use two commands. First, the Revoke Object Authority (RVKOBJAUT) command removes the current public authority from the objects. This gives *EXCLUDE authority to the public. Then, the Grant Object Authority (GRTOBJAUT) command gives the public the authority you want.

For example, if all files in library MYLIB have been created (through *LIBCRTAUT) with a public authority of *CHANGE and you want to change it to *USE, you would run the following commands:

 RVKOBJAUT OBJ(MYLIB/*ALL) + OBJTYPE(*FILE) + USER(*PUBLIC) + AUT(*CHANGE) GRTOBJAUT OBJ(MYLIB/*ALL) + OBJTYPE(*FILE) + USER(*PUBLIC) + AUT(*USE)

Last But Not Least

You should also know that changing a library's CRTAUT attribute does not change the public authority of any of its existing objects. Once an object is created within the library, its public authority is fixed. If you later change the library's CRTAUT attribute, the change is effective only for objects you create afterwards.

Similarly, changing system value QCRTAUT doesn't change the public authority for any objects created in a library, even if the library has CRTAUT(*SYSVAL) specified. Again, the objects already have a public authority which won't automatically reflect changes made to QCRTAUT.

I hope I have succeeded in showing you the importance of *LIBCRT-AUT and why you should always mind it. Keeping a secure system is important, and OS/400 gives you the tools you need to do it. It's then up to you to use them correctly.

Ernie Malaga is a senior technical editor at Midrange Computing.

Watch Out for *LIBCRTAUT

Figure 1 How the System Uses *LIBCRTAUT

 ------------------------ ---------------- ||CRTCLPGM AUT(*LIBCRTAUT)|| --> ||Public Authori ------------------------ || || = *CHANGE || || ||-------------- || || || || || || V || || ---------------- || || New CL ||CRTAUT + *CHANGE||------------ || Program ||----------------|| || || || || || Library || -------------- || Definition ----------------
BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$0.00 Raised:
$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: