From the original z/VM 5.4.0 "USER DIRECT" (and yes, the password is exposed - anyone going into production with an IBM-distributed password *should* be in "triple-trouble"!): ---<snip>--- USER OPERATOR OPERATOR 32M 32M ABCDEFG INCLUDE IBMDFLT AUTOLOG AUTOLOG1 OP1 MAINT ACCOUNT 2 OPERATOR MACH ESA OPTION MAINTCCW IPL 190 LINK OP1 191 192 RR MDISK 191 3390 3301 005 VSR54I MR READ WRITE MULTIPLE ---<snip>--- (We save the original MAINT 02CC as MAINT D2CC (Distributed 2CC) as soon as the installation is complete. Let's us go back later to understand.) The "INCLUDE IBMDFLT" does not (and had better not) include "OPTION DEVMAINT".
Could there perhaps be some confusion between "DEVMAINT" and "MAINTCCW"? Mike Walter Hewitt Associates "Scott Rohling" <[email protected]> Sent by: "The IBM z/VM Operating System" <[email protected]> 05/12/2009 04:04 PM Please respond to "The IBM z/VM Operating System" <[email protected]> To [email protected] cc Subject Re: Oops and finding passwords on a system... Wow .. open mouth, insert foot ... it does imply OPERATOR has it by default - and here I am saying it's a security violation. This is just not my day :-( I guess OPERATOR 'is' the failsafe VM userid -- and by rights should have this ability for recovery. But I wouldn't want my typical VM operator doing these kinds of things. I guess an audit trail will have to suffice. Scott On Tue, May 12, 2009 at 2:59 PM, Schuh, Richard <[email protected]> wrote: According to the help file, "The user must be the primary system operator or the user's OPTION directory statement must include the DEVMAINT option". Does this not indicate that OPERATOR does not need DEVMAINT? Regards, Richard Schuh From: The IBM z/VM Operating System [mailto:[email protected]] On Behalf Of Scott Rohling Sent: Tuesday, May 12, 2009 1:52 PM To: [email protected] Subject: Re: Oops and finding passwords on a system... I understand your premise, but respectfully disagree. We're not going to increase the security of z/VM by not discussing ways to do things when necessary. The mirror question to yours is: 'How do I prevent a z/VM system from being hacked?'. The answer lies in things like: - Run an ESM (may I suggest RACF?) - Don't hand out OPTION DEVMAINT indiscriminately (as in this case -- does OPERATOR actually have it? YIKES!!) Any of the methods being discussed can only be done by a user with sufficient privilege to do so. None of this is secret stuff, nor should it be. Scott On Tue, May 12, 2009 at 2:29 PM, Mark Wheeler <[email protected]> wrote: Greetings all, These are the kind of questions I really hate to see, because many of us know the answer (or multiple answers) and want to help. Actually, it's those answers that I hate to see, because, to paraphrase, the root question is basically "How do I hack into a z/VM system?" Posting the answers to the list doesn't seem prudent, whereas a private response to Bob (you really are Bob, right?) would be more appropriate. It helps Bob, who we all know and love, solve his problem but doesn't compromise the integrity of everyone else's systems. Respectfully, Mark Wheeler http://www.linkedin.com/in/marklwheeler Date: Tue, 12 May 2009 14:36:19 -0500 From: [email protected] Subject: Oops and finding passwords on a system... To: [email protected] I didn?t log in for awhile and, due to advancing age (actually a year older tomorrow too), I?ve forgotten what I made the MAINT password. And, since this was also the main password used for almost all the service machines, I don?t have any other locations to log into that would help me. I know; stupid. :( Could someone with a zVM 540 system please tell me the starting cylinder of the DIRMAINT 1DB minidisk? I don?t think we had any reason to relocate it, so, I think, with that and a DEFINE MINIDISK command from OPERATOR (my one working userid) I can get the password I need to regain control and save some face (other than here, since I?ve confessed to you all). Thanks to one and all for keeping this as quiet as possible. -- Robert P. Nix Mayo Foundation .~. RO-OE-5-55 200 First Street SW /V\ 507-284-0844 Rochester, MN 55905 /( )\ ----- ^^-^^ "In theory, theory and practice are the same, but in practice, theory and practice are different." HotmailĀ® has ever-growing storage! Don?t worry about storage limits. Check it out. The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
