LISTSERV - HP3000-L Archives

HP3000-L Archives

October 2000, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L October 2000, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security Issue
From:	Tracy Pierce <[log in to unmask]>
Reply To:	Tracy Pierce <[log in to unmask]>
Date:	Tue, 10 Oct 2000 11:44:42 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (78 lines)

Since your users are streaming jobs themselves "from a menu", why not just
replace the hard-coded username "PRINTER" with !HPUSER, as in

!job myreport,!hpuser.!hpaccount;blah blah

after which they'll own their own spoofles anyway, so you can simply remove
OP from them.


> -----Original Message-----
> From: Emerson, Tom # El Monte [mailto:[log in to unmask]]
> Sent: Tuesday, October 10, 2000 11:16 AM
> To: [log in to unmask]
> Subject: Re: Security Issue
>
>
> I think you just missed the thread, but I believe this is the
> purpose of the
> "associate" command (well, at least to control the spoolfile
> device, don't
> remember offhand if this allows "previewing" the file)
>
> a <plug>ed solution would be MPEX combined with Security/3000
> -- see the
> discussion on "withcaps" in their manuals for the full
> details, but the gist
> of it is that you can create a "secure" command file that
> executes commands
> in excess of the user's normal capabilities.  Presumably, the
> command file
> checks "other criteria" before executing the command -- in
> your case it
> would be to check that the spoolfile being printed/viewed is
> "proper" for
> the user </plug>
>
> [oh, and "plug" or not, VEsoft's manuals & white papers point
> out the true
> danger of "OP" capability -- the ability to retrieve ANY
> hardcoded password
> in a jobstream, for example...]
>
> > -----Original Message-----
> > From: Larry Barnes [mailto:[log in to unmask]]
> > Sent: Tuesday, October 10, 2000 10:10 AM
> > To: [log in to unmask]
> > Subject: [HP3000-L] Security Issue
> >
> >
> > In the past, before my time, we have created users who are given the
> > "OP" capability so they can view spoolfiles.  These users logon as
> > themselves and certain reports they request (thru menus)
> > logon as a job
> > with a default user called "printer".  The "OP" cap gives them the
> > ability to see when their spoolfiles are ready, and to either
> > print them
> > or copy them to a disc file for exporting into a spreadsheet.
> > The problem is when you give a user "OP" they can view all
> > spoolfiles in
> > all accounts, plus do other damage.
> > My question is, is there a capability on the system that
> will allow a
> > user to view all spoolfiles in their logon account with out
> > giving them
> > "OP" or "AM" capability?
> >
> > --
> > Larry Barnes
> > Director of I.T.
> > Mitek Corp.
> > 602-438-4545 x1366
> > Phoenix, AZ 85040
> >
> > Check Us Out !
> > http://www.mitekcorp.com
> >
>

ATOM RSS1 RSS2

RAVEN.UTC.EDU