IBM i > ADMINISTRATOR > SECURITY

A Change in Fundamentals


 

Since the first version of the CPF operating system was shipped with the System/38, system administrators have grappled with the problems inherent in customizing the IBM-supplied CL command set. One source of irritation was that installing a new OS/400* release obliterated any changes made directly to the IBM-supplied commands in the QSYS library. So for each new OS release, the system administrator would have to reapply all of the command changes.

Over time, system administrators figured out they could copy the CL commands to their own library. Strategically placing their own library, perhaps named ALTQSYS, ahead of QSYS in the system portion of the library list allowed administrators to effectively override the IBM-supplied version. So when a new OS release was installed, it would replace the IBM-supplied version of the command in the QSYS library, but leave the customized version in the ALTQSYS intact.

Because CL commands don't often undergo fundamental changes that impact most administrators, the ALTQSYS copy of a command created at a previous OS release normally functioned correctly. However, there were certainly exceptions in which the ALTQSYS version of the commands would fail once a new OS release was installed. While an imperfect solution, it was normally manageable.

If you examine the system portion of the library list on your AS/400 or iSeries server using the command DSPSYSVAL QSYSLIBL, you may see an ALTQSYS library ahead of QSYS. Many times, you also will see the name of a vendor-supplied library. Some software vendors make a habit of placing their library on your system library list ahead of QSYS in order to override the processing of the IBM-supplied command set. This is particularly true in the case of software utility and tool vendors.

Most of us have accepted the fact that we need libraries above QSYS in our library list to support customized versions and vendor-supplied versions of CL commands and other objects. But there is an inherent danger in this scheme. Any library existing above QSYS on the system library list potentially can open the AS/400 or iSeries server to a severe security exposure-the Trojan Horse. If a user can create or change objects in a library above QSYS, or in QSYS for that matter, that user can also introduce a program or command that can do major damage.

In an attempt to eliminate the need for libraries above QSYS, IBM enabled a facility in V4R5 that may make it possible to remove the libraries above QSYS from the system portion of the library list. I say "may" because the support provided in V4R5 deals specifically with CL command customization but does not account for other customized objects that may need to appear before QSYS.

 

 

This new capability to control commands at run-time opens up realms of possibilities in application development and system administration.

Dan Riehl is the founder and technical advisor of The Power Tech Group. He can be reached at dan.riehl@powertech.com.


comments powered by Disqus

Advertisement

Advertisement

2017 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
IBMi News Sign Up Today! Past News Letters