Hello Friends,
This is a
continuation of my earlier post on “how to execute CL command from Windows”.
If you have read that
post you should probably know how RMTCMD works with AS400. But still there are
chances of few security issues/violation using this method.
If I want to say in
one liner, “using RMTCMD a user can run CL command directly into AS400 even if
the user profile has “Limit Capabilities = *YES” LMTCPB(*YES)”
What is limit capabilities?
If a user profile is created
with limit capabilities as yes, then that profile will not be able to use most
of the CL command in the command line. When you try to execute a command you
will get error as
“Command CALL in
library *LIBL not allowed”
Using this we can
limit our user group from accessing unwanted/sensitive commands.
E.g.: If someone
issues a command DLTF on a PF this would probably delete the file from
production.
But when we use
RMTCMD option to execute this command from Windows
Can we control which command will be allowed for Limit
capable users?
Yes, we can. Every CL
command will be having attribute “Allow limited user”.
If it is “*No” then
we cannot use this command using limited access profile
If “*Yes” then we can
use this even if the profile has limited access
Note: But as a system administrator, you can change any CL command that can be run at command line to allow limited users to also run. This can be done using CHGCMD option.
E.g.: CHGCMD CMD(WRKJOB) ALWMLMTUSR(*YES)
But the rmtcmd.exe
completely ignores the Limit Capabilities attribute of the user profile and
therefore allows any user to run any command he or she is authorized to
run.
How to control this?
We have to use user
exit programs in exit points to control any unauthorized entries.
Exit Programs:
An exit point is
simply a point in an application at which the application can optionally call
an external program to perform customized processing. In other words, whenever
the RMTCMD is executed we can get the login details and validate it before it
gets processed. For this we need to add our exit program into IBM exit points
interface of RMTCMD.
Once you have
registered your exit program, whenever a user attempts to log on using RMTCMD,
the server finds your program that's registered for the exit point, then calls
your exit program, passing as parameters information about the user who's
logging on. Your exit program then processes that information and takes the
appropriate action, according to the security rules you implement in the exit
program. Upon return, your exit program passes back a flag to either ACCEPT or
REJECT the logon attempt.
Exit Points:
Each exit point has a
name and an Exit Point Interface. The Exit Point Interface is a list of input
and output parameters the IBM server program exchanges with your exit program.
The QIBM_QZRC_RMT exit
point occurs immediately after a user enters a user ID and, password to log on
to the AS400 server using RMTCMD command.
In this post I just
wanted to call out the security issues with respect to RMTCMD. I would try to
catch up with some practical example on how to use Exit points & Exit
programs later.
Until then… Have
Fun..!!! Happy Coding..!!!