On Tue, 11 Dec 2007 12:29:46 -0800 George Fogg <[EMAIL PROTECTED]> wrote:
:>> On Mon, 10 Dec 2007 15:38:58 -0800 George Fogg <[EMAIL PROTECTED]> wrote: :>> :>OK, MGCEFAST has a purpose in certain conditions but I could set this bit on :>> :>in a simple MGCRE call to issue a command without using CPF and CMDSYS :>> :>processing and it will bypass the command exits and CMDAUTH (OPERCMDS :>> :>checking)processing? :>> :>I agree this not apporiate but I'm just curious if it would work. :>> :>Just another goodie to add to my "gosh, that's interesting" list. :>> As the MGCR(E) issuer is supervisor state, it is perfectly legitimate for it :>> to indicate that security be bypassed. :>Not in our shop. :>We have 25+ site written commands processed in the command exit if if MGCEFAST :>bypasses the command exit then they won't work. I also don't want vendor :>products and in-house EMCS code setting this bit to bypass security checking. Then you should audit your supervisor state programs. I am not stating that it is a good idea to set the bit, just that allowing the MGCR(E) to bypass security is NOT an exposure as it is in supervisor state and thus can directly do what the issued command would do. :>I don't have a problem with its intended purpose as Scott Fagen indicated. -- Binyamin Dissen <[EMAIL PROTECTED]> http://www.dissensoftware.com Director, Dissen Software, Bar & Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
