limiting access to a command line

40 pts.
Tags:
Command line
How do I remove command line from users?

Answer Wiki

Thanks. We'll let you know when a new response is added.

On  USRPRF change LMTCPB(*YES) Limit Capabilities *YES will not allow entry for commands on the command line. Alternatively for selected commands to be accessed, we can give them access by CHGOBJAUT for any command.

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TomLiotta
    Setting the LMTCPB(*YES) attribute of a user profile is a way of influencing how users can interact with commands on a command line. By setting the attribute to {*YES), you restrict which commands may be run (through a command line) by that user.Commands have a related attribute, the ALWLMTUSR() attribute that can be either (*YES) or (*NO). That attribute determines whether or not a command is allowed for a limited user on a command line. By default, all IBM commands are set with ALWLMTUSR(*NO) except the SNDMSG, DSPMSG, WRKMSG, SIGNOFF, STRPCO, DSPJOB and DSPJOBLOG commands. You can use the CHGCMD command to set any command you need to be either ALWLMTUSR(*YES) or (*NO). The CHGOBJAUT command serves a different function and is possibly inappropriate.If you are going to use this user attribute, you should check every command on the system to see which ones will be affected by the user attribute. Any command, whether IBM-supplied, home-grown or 3rd-party, should be checked to verify that the command's ALWLMTUSR() attribute is appropriate. (There are thousands of commands.)The huge issue with doing so is that it tends to obscure the real security problems that exist. It gives a false and misleading sense of security.First, it only restricts commands entered on a command line. It doesn't restrict them if they are run in other ways.Second, it only restricts the commands themselves. It doesn't restrict the affects of a command. That is, although it can restrict the DLTF command itself from being run through a command line type of interface, it does not restrict the ability to delete a file, nor does it restrict the ability to execute the DLTF command through a non-command line interface. The same is true for every command.If a user has existence authority to an object, the object can be deleted without needing to use a command. For example, a file might be deleted by using Windows Explorer to drill into the remote file system, right-clicking on the file and selecting 'Delete' or pressing the Delete key.There are many ways to access objects when a system is connected to a network that users can also access. Many users are more familiar with Windows than they are to commands on a command line.If you set user authorities appropriately, then it becomes irrelevant if users can use a command line. If a user doesn't have existence authority for a file for example, then they can run DLTF against that file through a command line all day long; but the command will simply return an error message.saying that object authority is insufficient. Every other interface will return the same error.By fixing the underlying problem, you don't have to waste time with finding and fixing all the possible symptoms.Nevertheless, the LMTCPB(*YES) user attribute does affect command line usage. It sometimes provides a short-term patch until real problems are fixed.Tom
    125,585 pointsBadges:
    report
  • TomLiotta
    Sorry about that paragraph formatting. I forgot that this editor isn't tuned for that in FF and that I was using FF. -- Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following