Saturday, June 10, 2017

Security problems with RMTCMD

Hello Friends,

This is a continuation of my earlier post on “how to execute CL command from Windows”.

If you have read that post you should probably know how RMTCMD works with AS400. But still there are chances of few security issues/violation using this method.

If I want to say in one liner, “using RMTCMD a user can run CL command directly into AS400 even if the user profile has “Limit Capabilities = *YES” LMTCPB(*YES)”

What is limit capabilities?

If a user profile is created with limit capabilities as yes, then that profile will not be able to use most of the CL command in the command line. When you try to execute a command you will get error as


“Command CALL in library *LIBL not allowed”


Using this we can limit our user group from accessing unwanted/sensitive commands.

E.g.: If someone issues a command DLTF on a PF this would probably delete the file from production.

But when we use RMTCMD option to execute this command from Windows

Can we control which command will be allowed for Limit capable users?

Yes, we can. Every CL command will be having attribute “Allow limited user”.

If it is “*No” then we cannot use this command using limited access profile


If “*Yes” then we can use this even if the profile has limited access


Note: But as a system administrator, you can change any CL command that can be run at command line to allow limited users to also run. This can be done using CHGCMD option.

E.g.:  CHGCMD  CMD(WRKJOB)  ALWMLMTUSR(*YES)

But the rmtcmd.exe completely ignores the Limit Capabilities attribute of the user profile and therefore allows any user to run any command he or she is authorized to run. 

How to control this?

We have to use user exit programs in exit points to control any unauthorized entries.

Exit Programs:

An exit point is simply a point in an application at which the application can optionally call an external program to perform customized processing. In other words, whenever the RMTCMD is executed we can get the login details and validate it before it gets processed. For this we need to add our exit program into IBM exit points interface of RMTCMD.

Once you have registered your exit program, whenever a user attempts to log on using RMTCMD, the server finds your program that's registered for the exit point, then calls your exit program, passing as parameters information about the user who's logging on. Your exit program then processes that information and takes the appropriate action, according to the security rules you implement in the exit program. Upon return, your exit program passes back a flag to either ACCEPT or REJECT the logon attempt.

Exit Points:

Each exit point has a name and an Exit Point Interface. The Exit Point Interface is a list of input and output parameters the IBM server program exchanges with your exit program. The QIBM_QZRC_RMT exit point occurs immediately after a user enters a user ID and, password to log on to the AS400 server using RMTCMD command.

In this post I just wanted to call out the security issues with respect to RMTCMD. I would try to catch up with some practical example on how to use Exit points & Exit programs later.

Until then… Have Fun..!!! Happy Coding..!!!

1 comment:

  1. Could you help me with this. How can I create a batchfile to be executed from a Windows/DOS command prompt with the RMTCMD command, that would execute these three commands and directing the result of each command into a text-file:
    WRKSYSVAL *ALL
    PRTSYSSECA
    ANZDFTPWD
    ?

    ReplyDelete