Other than via OPERCMDS profiles protecting the VARY command (which then
requires that all consoles be LOGON=REQUIRED) I don't think so.

Wayne Driscoll
Product Developer
NOTE:  All opinions are strictly my own.


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf
Of Edward Jaffe
Sent: Tuesday, February 12, 2008 4:05 PM
To: [email protected]
Subject: Re: SMCS Console Question

George Fogg wrote:
> Ed: The only exposure I see (and I'm streching it here) is that anyone
that
> has access to any MCS console with LOGON=OPTIONAL (or default) can issue
*any*
> command (of course, depending on the AUTH= parameter)and OPERCMDS checking
is
> basically bypassed because the user is not required to logon to the MCS
> console.
>
> So lets say I have access to your MCS console EDJXADM that has
AUTH=MASTER. I
> can issue the "V CN(SMCS6001),LOGON=OPTIONAL)" for your SMCS console,
> therefore your SMCS console doesn't require *any* user that knows the VTAM
> APPLID and SMCS console name to LOGON.

George, Until you posted this, I would have guessed that setting 
LOGON=OPTIONAL was invalid for SMCS consoles. But, I tried issuing this 
VARY CN command from my AUTH=MASTER EMCS console and -- Behold! -- the 
LOGON attribute on my SMCS console was faithfully changed to OPTIONAL. 
Now, I have an AUTH=MASTER SMCS "back door" to my system that anyone can 
exploit!

Is there no way to prevent the LOGON attribute from being changed for 
SMCS consoles??

-- 
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
[EMAIL PROTECTED]
http://www.phoenixsoftware.com/

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Reply via email to