TomLiotta Sep 11, 2012   11:59 PM GMT

Setting the LMTCPB(*YES) attribute of a user profile is a way of influencing how users can interact with commands on a command line. By setting the attribute to {*YES), you restrict which commands may be run (through a command line) by that user.Commands have a related attribute, the ALWLMTUSR() attribute that can be either (*YES) or (*NO). That attribute determines whether or not a command is allowed for a limited user on a command line. By default, all IBM commands are set with ALWLMTUSR(*NO) except the SNDMSG, DSPMSG, WRKMSG, SIGNOFF, STRPCO, DSPJOB and DSPJOBLOG commands. You can use the CHGCMD command to set any command you need to be either ALWLMTUSR(*YES) or (*NO). The CHGOBJAUT command serves a different function and is possibly inappropriate.If you are going to use this user attribute, you should check every command on the system to see which ones will be affected by the user attribute. Any command, whether IBM-supplied, home-grown or 3rd-party, should be checked to verify that the command's ALWLMTUSR() attribute is appropriate. (There are thousands of commands.)The huge issue with doing so is that it tends to obscure the real security problems that exist. It gives a false and misleading sense of security.First, it only restricts commands entered on a command line. It doesn't restrict them if they are run in other ways.Second, it only restricts the commands themselves. It doesn't restrict the affects of a command. That is, although it can restrict the DLTF command itself from being run through a command line type of interface, it does not restrict the ability to delete a file, nor does it restrict the ability to execute the DLTF command through a non-command line interface. The same is true for every command.If a user has existence authority to an object, the object can be deleted without needing to use a command. For example, a file might be deleted by using Windows Explorer to drill into the remote file system, right-clicking on the file and selecting 'Delete' or pressing the Delete key.There are many ways to access objects when a system is connected to a network that users can also access. Many users are more familiar with Windows than they are to commands on a command line.If you set user authorities appropriately, then it becomes irrelevant if users can use a command line. If a user doesn't have existence authority for a file for example, then they can run DLTF against that file through a command line all day long; but the command will simply return an error message.saying that object authority is insufficient. Every other interface will return the same error.By fixing the underlying problem, you don't have to waste time with finding and fixing all the possible symptoms.Nevertheless, the LMTCPB(*YES) user attribute does affect command line usage. It sometimes provides a short-term patch until real problems are fixed.Tom

125,585 pointsBadges:

TomLiotta Sep 12, 2012   0:02 AM GMT

Sorry about that paragraph formatting. I forgot that this editor isn't tuned for that in FF and that I was using FF. -- Tom

125,585 pointsBadges: