Wow .. open mouth, insert foot ... it does imply OPERATOR has it by default - and here I am saying it's a security violation. This is just not my day :-(
I guess OPERATOR 'is' the failsafe VM userid -- and by rights should have this ability for recovery. But I wouldn't want my typical VM operator doing these kinds of things. I guess an audit trail will have to suffice. Scott On Tue, May 12, 2009 at 2:59 PM, Schuh, Richard <[email protected]> wrote: > According to the help file, "The user must be the primary system operator > or the user's OPTION directory statement must include the DEVMAINT option". > Does this not indicate that OPERATOR does not need DEVMAINT? > > > Regards, > Richard Schuh > > > > > ------------------------------ > *From:* The IBM z/VM Operating System [mailto:[email protected]] *On > Behalf Of *Scott Rohling > *Sent:* Tuesday, May 12, 2009 1:52 PM > *To:* [email protected] > *Subject:* Re: Oops and finding passwords on a system... > > I understand your premise, but respectfully disagree. We're not going to > increase the security of z/VM by not discussing ways to do things when > necessary. The mirror question to yours is: 'How do I prevent a z/VM > system from being hacked?'. The answer lies in things like: > > - Run an ESM (may I suggest RACF?) > - Don't hand out OPTION DEVMAINT indiscriminately (as in this case -- does > OPERATOR actually have it? YIKES!!) > > Any of the methods being discussed can only be done by a user with > sufficient privilege to do so. None of this is secret stuff, nor should it > be. > > Scott > > On Tue, May 12, 2009 at 2:29 PM, Mark Wheeler <[email protected]>wrote: > >> Greetings all, >> >> These are the kind of questions I really hate to see, because many of us >> know the answer (or multiple answers) and want to help. Actually, it's those >> answers that I hate to see, because, to paraphrase, the root question is >> basically "How do I hack into a z/VM system?" Posting the answers to the >> list doesn't seem prudent, whereas a private response to Bob (you really are >> Bob, right?) would be more appropriate. It helps Bob, who we all know and >> love, solve his problem but doesn't compromise the integrity of everyone >> else's systems. >> >> Respectfully, >> >> Mark Wheeler >> >> http://www.linkedin.com/in/marklwheeler >> >> ------------------------------ >> Date: Tue, 12 May 2009 14:36:19 -0500 >> From: [email protected] >> Subject: Oops and finding passwords on a system... >> To: [email protected] >> >> I didn’t log in for awhile and, due to advancing age (actually a year >> older tomorrow too), I’ve forgotten what I made the MAINT password. And, >> since this was also the main password used for almost all the service >> machines, I don’t have any other locations to log into that would help me. I >> know; stupid. :( >> >> Could someone with a zVM 540 system please tell me the starting cylinder >> of the DIRMAINT 1DB minidisk? I don’t think we had any reason to relocate >> it, so, I think, with that and a DEFINE MINIDISK command from OPERATOR (my >> one working userid) I can get the password I need to regain control and save >> some face (other than here, since I’ve confessed to you all). >> >> Thanks to one and all for keeping this as quiet as possible. >> >> -- >> Robert P. Nix Mayo Foundation .~. >> RO-OE-5-55 200 First Street SW /V\ >> 507-284-0844 Rochester, MN 55905 /( )\ >> ----- ^^-^^ >> "In theory, theory and practice are the same, but >> in practice, theory and practice are different." >> >> >> ------------------------------ >> Hotmail® has ever-growing storage! Don’t worry about storage limits. Check >> it >> out.<http://windowslive.com/Tutorial/Hotmail/Storage?ocid=TXT_TAGLM_WL_HM_Tutorial_Storage1_052009> >> > >
