On Thu, 13 May 2010 10:31:39 -0500 Mark Zelden <mzel...@flash.net> wrote:
:>On Thu, 13 May 2010 09:36:23 -0500, Patrick Lyon <ptl...@midamerican.com> wrote: :>>On Wed, 14 Apr 2010 09:46:01 -0500, Walt Farrell <wfarr...@us.ibm.com> :>>wrote: :>>>What is important is that you understand that you are at risk if you do not :>>>carefully control who can run those SMP/E functions, and that your users :>>who :>>>can run those functions must be very trusted users. And that's why we have :>>>the new APAR IO12263. :>>I might point out for those who have not applied this enhancement, that the :>>examples within APAR IO12263 are not complete. Below is what they indicate :>>are protected in the APAR: :>><quote> :>>These functions, and the corresponding SAF FACILITY class :>>resources that SMP/E checks, are as follows: :>> Function: Resource name: :>> RECEIVE command GIM.CMD.RECEIVE :>> APPLY command GIM.CMD.APPLY :>> ACCEPT command GIM.CMD.ACCEPT :>> RESTORE command GIM.CMD.RESTORE :>> REJECT command GIM.CMD.REJECT :>> LINK command GIM.CMD.LINK :>> CLEANUP command GIM.CMD.CLEANUP :>> Program GIMZIP GIM.PGM.GIMZIP :>> Program GIMUNZIP GIM.PGM.GIMUNZIP :>> Program GIMIAP GIM.PGM.GIMIAP :>></quote> :>>SET and REPORT also need command profiles, even though they were :>>indicated earlier in the APAR. I am sure there are others that I have not :>>found yet. From earlier in the APAR: :>><quote> :>>The functions being controlled are all the SMP/E commands processed by :>>program GIMSMP (for example, SET, RECEIVE, APPLY, ACCEPT :>>UCLIN, LIST, REPORT, etc.), the GIMZIP and GIMUNZIP :>>service routines, and the GIMIAP copy utility invocation :>>program. :>></quote> :>>Just a heads up that those planning on applying this enhancement, that more :>>will be needed. > :>Not if you define only 1 profile as GIM.*. I suspect that will suffice for :>at least 95% of the shops out there. We've already discussed the :>unlikelihood of shops desiring to do something more granular like :>giving a certain set of users RECEIVE only (even though it could be done). I would be surprised if anyone makes the effort for it to be granular until IBM 'fesses up on the exposure. -- Binyamin Dissen <bdis...@dissensoftware.com> http://www.dissensoftware.com Director, Dissen Software, Bar & Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html