CHKJOBDUSR -- Check Job Description User Profile

CHKJOBDUSR CHECK JOBD FOR USER PARM WITH A NAME TAAJBDA
The CHKJOBDUSR command allows you to find the job descriptions which are specified with the USER parameter containing a user profile name as opposed to RQD. These job descriptions can be used to breach security unless they are properly authorized. On a system with the QSECURITY level set to 40, the system will automatically check when the JOBD is used (e.g. SBMJOB) that the user is authorized to use the profile name. However, certain functions like auto start jobs require that the name exist in the JOBD and are not checked when execution occurs. At level 30 or below, the system does not check the SBMJOB user to see if the user submitting the job is authorized to the name in a JOBD. A spooled output file is produced with the same name as the library to be checked. If all libraries are requested, the output occurs to QPRINT. For each JOBD with a name (not RQD), the name in the JOBD is printed along with the current authorizations to the object. If you are interested in tight security, you will periodically want to check the entire system for the job descriptions which have a USER value other than RQD. The CHKJOBDUSR command will provide the listing, but it is up to you to examine the authorizations to each job description on the list. If such a job description has public authority, any user on the system may submit a batch job specifying the job description and operate as the user profile in the job description. This can occur by specifying: SBMJOB USER(JOBD) or by specifying the JOBD in a job stream and submitting the stream with a SBM or STR command Command parameters CMD ------------------ LIB The library name in which to check the job descriptions. If ALL is specified, you must be authorized to all the libraries or have all object authority. Prerequisites ------------- The following TAA Tools must be on your system: DSPADP Display adopt (DSPOBJDA command) RTVJOBD Retrieve job description RTVSYSVAL3 Retrieve system value 3 SNDCOMPMSG Send completion message SNDESCMSG Send escape message SNDSTSMSG Send status message Restrictions ------------ None. Implementation -------------- None, the tool is ready to use. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ----- --------- ---------- ----------- CHKJOBDUSR CMD TAAJBDA QATTCMD TAAJBDAC PGM CLP TAAJBDAC QATTCL TAAJBDAR *PGM RPG TAAJBDAR QATTRPG

CHKJOBDUSR          CHECK JOBD FOR USER PARM WITH A NAME   TAAJBDA


The CHKJOBDUSR command  allows you to  find the job  descriptions which
are specified  with the USER  parameter containing a  user profile name
as  opposed to  *RQD.   These job  descriptions can  be used  to breach
security unless they are properly authorized.

On a  system  with the  QSECURITY  level set  to  40, the  system  will
automatically  check when  the JOBD  is used  (e.g.   SBMJOB)  that the
user  is  authorized  to  use  the  profile  name.    However,  certain
functions like  auto start  jobs require  that the  name  exist in  the
JOBD  and are  not  checked when  execution  occurs.   At  level 30  or
below,  the system does not  check the SBMJOB  user to see  if the user
submitting the job is authorized to the name in a JOBD.

A spooled output  file is produced  with the same name  as the  library
to be checked.   If all libraries  are requested, the output  occurs to
QPRINT.

For each JOBD  with a name (not *RQD), the name  in the JOBD is printed
along with the current authorizations to the object.

If  you are  interested in tight  security, you  will periodically want
to check the entire system  for the job descriptions which have  a USER
value  other  than *RQD.    The  CHKJOBDUSR  command will  provide  the
listing,  but it  is up to  you to  examine the  authorizations to each
job description on  the list.   If  such a job  description has  public
authority, any  user on the  system may submit  a batch  job specifying
the  job  description  and  operate as  the  user  profile  in the  job
description.

This can occur by specifying:

        SBMJOB    USER(*JOBD)

or by specifying  the JOBD in  a job stream  and submitting the  stream
with a SBM or STR command

Command parameters                                    *CMD
------------------

   LIB           The  library   name  in   which  to   check  the   job
                 descriptions.    If *ALL  is  specified,  you must  be
                 authorized  to all  the libraries  or have  all object
                 authority.

Prerequisites
-------------

The following TAA Tools must be on your system:

      DSPADP        Display adopt (DSPOBJDA command)
      RTVJOBD       Retrieve job description
      RTVSYSVAL3    Retrieve system value 3
      SNDCOMPMSG    Send completion message
      SNDESCMSG     Send escape message
      SNDSTSMSG     Send status message

Restrictions
------------

None.

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type       Attribute      Src member     Src file
   ------        -----      ---------      ----------     -----------

   CHKJOBDUSR    *CMD                      TAAJBDA        QATTCMD
   TAAJBDAC      *PGM          CLP         TAAJBDAC       QATTCL
   TAAJBDAR      *PGM          RPG         TAAJBDAR       QATTRPG

Added to TAA Productivity tools April 1, 1995

Home Page

Up to Top