Other than via OPERCMDS profiles protecting the VARY command (which then requires that all consoles be LOGON=REQUIRED) I don't think so.
Wayne Driscoll Product Developer NOTE: All opinions are strictly my own. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Edward Jaffe Sent: Tuesday, February 12, 2008 4:05 PM To: [email protected] Subject: Re: SMCS Console Question George Fogg wrote: > Ed: The only exposure I see (and I'm streching it here) is that anyone that > has access to any MCS console with LOGON=OPTIONAL (or default) can issue *any* > command (of course, depending on the AUTH= parameter)and OPERCMDS checking is > basically bypassed because the user is not required to logon to the MCS > console. > > So lets say I have access to your MCS console EDJXADM that has AUTH=MASTER. I > can issue the "V CN(SMCS6001),LOGON=OPTIONAL)" for your SMCS console, > therefore your SMCS console doesn't require *any* user that knows the VTAM > APPLID and SMCS console name to LOGON. George, Until you posted this, I would have guessed that setting LOGON=OPTIONAL was invalid for SMCS consoles. But, I tried issuing this VARY CN command from my AUTH=MASTER EMCS console and -- Behold! -- the LOGON attribute on my SMCS console was faithfully changed to OPTIONAL. Now, I have an AUTH=MASTER SMCS "back door" to my system that anyone can exploit! Is there no way to prevent the LOGON attribute from being changed for SMCS consoles?? -- Edward E Jaffe Phoenix Software International, Inc 5200 W Century Blvd, Suite 800 Los Angeles, CA 90045 310-338-0400 x318 [EMAIL PROTECTED] http://www.phoenixsoftware.com/ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
