George Fogg wrote:
Ed: The only exposure I see (and I'm streching it here) is that anyone that
has access to any MCS console with LOGON=OPTIONAL (or default) can issue *any*
command (of course, depending on the AUTH= parameter)and OPERCMDS checking is
basically bypassed because the user is not required to logon to the MCS
console.
So lets say I have access to your MCS console EDJXADM that has AUTH=MASTER. I
can issue the "V CN(SMCS6001),LOGON=OPTIONAL)" for your SMCS console,
therefore your SMCS console doesn't require *any* user that knows the VTAM
APPLID and SMCS console name to LOGON.
George, Until you posted this, I would have guessed that setting
LOGON=OPTIONAL was invalid for SMCS consoles. But, I tried issuing this
VARY CN command from my AUTH=MASTER EMCS console and -- Behold! -- the
LOGON attribute on my SMCS console was faithfully changed to OPTIONAL.
Now, I have an AUTH=MASTER SMCS "back door" to my system that anyone can
exploit!
Is there no way to prevent the LOGON attribute from being changed for
SMCS consoles??
--
Edward E Jaffe
Phoenix Software International, Inc
5200 W Century Blvd, Suite 800
Los Angeles, CA 90045
310-338-0400 x318
[EMAIL PROTECTED]
http://www.phoenixsoftware.com/
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
