Saturday, June 10, 2017

Security problems with RMTCMD

Hello Friends,

This is a continuation of my earlier post on “how to execute CL command from Windows”.

If you have read that post you should probably know how RMTCMD works with AS400. But still there are chances of few security issues/violation using this method.

If I want to say in one liner, “using RMTCMD a user can run CL command directly into AS400 even if the user profile has “Limit Capabilities = *YES” LMTCPB(*YES)”

What is limit capabilities?

If a user profile is created with limit capabilities as yes, then that profile will not be able to use most of the CL command in the command line. When you try to execute a command you will get error as


“Command CALL in library *LIBL not allowed”


Using this we can limit our user group from accessing unwanted/sensitive commands.

E.g.: If someone issues a command DLTF on a PF this would probably delete the file from production.

But when we use RMTCMD option to execute this command from Windows

Can we control which command will be allowed for Limit capable users?

Yes, we can. Every CL command will be having attribute “Allow limited user”.

If it is “*No” then we cannot use this command using limited access profile


If “*Yes” then we can use this even if the profile has limited access


Note: But as a system administrator, you can change any CL command that can be run at command line to allow limited users to also run. This can be done using CHGCMD option.

E.g.:  CHGCMD  CMD(WRKJOB)  ALWMLMTUSR(*YES)

But the rmtcmd.exe completely ignores the Limit Capabilities attribute of the user profile and therefore allows any user to run any command he or she is authorized to run. 

How to control this?

We have to use user exit programs in exit points to control any unauthorized entries.

Exit Programs:

An exit point is simply a point in an application at which the application can optionally call an external program to perform customized processing. In other words, whenever the RMTCMD is executed we can get the login details and validate it before it gets processed. For this we need to add our exit program into IBM exit points interface of RMTCMD.

Once you have registered your exit program, whenever a user attempts to log on using RMTCMD, the server finds your program that's registered for the exit point, then calls your exit program, passing as parameters information about the user who's logging on. Your exit program then processes that information and takes the appropriate action, according to the security rules you implement in the exit program. Upon return, your exit program passes back a flag to either ACCEPT or REJECT the logon attempt.

Exit Points:

Each exit point has a name and an Exit Point Interface. The Exit Point Interface is a list of input and output parameters the IBM server program exchanges with your exit program. The QIBM_QZRC_RMT exit point occurs immediately after a user enters a user ID and, password to log on to the AS400 server using RMTCMD command.

In this post I just wanted to call out the security issues with respect to RMTCMD. I would try to catch up with some practical example on how to use Exit points & Exit programs later.

Until then… Have Fun..!!! Happy Coding..!!!

Friday, June 9, 2017

Executing AS400 CL Command from Windows

Hello Friends,

If you have IBM System I Access for Windows then it would have given you a DOS command called ‘RMTCMD’. Using this you can directly run the CL commands from your Windows command prompt.

Syntax:

RMTCMD supports two formats

RMTCMD “CL COMMAND” [/Q] //AS400SERVER [/Z]

RMTCMD /I <filename> [/Q] //AS400SERVER [/Z]

RMTCMD à command name (CL commands can be given in double quotes)
AS400SERVER will be your server name

/Q à It specifies that command will display the error and end the command (if any error encountered in CL command). If we didn’t give then it will ask for options from you to continue or end

/Z à Specifies to display only required messages on your workstation

E.g.: I want to clear a file DEVYUS1/TEMP



It will prompt you for user name & password. And the commands will execute directly on your AS400.

E.g.: Output 

We can see using /Z option the extra details (version and copyright info) were not displayed.


What if we have multiple commands to execute? 

We can have it in a file and use our 2nd command.




What if we want to execute a DOS command from AS400?

STRPCO & STRPCCMD

You have to start PC Organizer (STRPCO) first then using STRPCCMD we can execute any DOS command.


Hope you might have learnt something useful. I shall come back with another interesting topic later. Until then… Have Fun..!!! Happy Coding…!!!