When discussing the concept of “least privilege access”—that is, giving users only the authorities necessary to do their jobs—it’s obvious that only trusted users should be granted *ALLOBJ special authority. It’s also obvious that *SECADM, which allows users to create user profiles and modify them when they have *USE authority to the profile, should be given only to the people who need to maintain user profiles. Since *SPLCTL is the *ALLOBJ of spooled files, obviously you only grant that special authority to users who are allowed to see all spooled files on the system.
But who should be assigned the rest of the special authorities, and what vulnerabilities might you be causing when assigning these special authorities? Let’s take a look.
*AUDIT Special Authority
Users assigned *AUDIT special authority allows them to change the auditing system values and enable or disable auditing on individuals and objects. Profiles assigned *AUDIT special authority can also run most of the options when using the integrated security tools, accessed by typing GO SECTOOLS. *AUDIT should be assigned only to those people performing the security administrator role.
*JOBCTL Special Authority
*JOBCTL allows users to manage (hold, release, end, modify) not just their own jobs but any job on the system. Clearly this is a special authority that’s required for operators and system administrators. But after *SPLCTL, *JOBCTL is probably the most over-assigned special authority, and most people don’t pay much attention to it. So why should you care?
First, many auditors don’t like the idea that any user can manipulate other users’ jobs. You likely assert that this isn’t an issue by showing that most of your users have limited capabilities so they can’t enter commands from a command line. And while that’s true for most users, it’s usually not true for programmers, and they’d be the ones to know what batch jobs to stop or hold to disrupt processing.
Second, when creating outqs, the default configuration allows users with *JOBCTL to display, copy, and send spooled files created by other users. You can configure the outq to ignore the user’s *JOBCTL, but that’s not the default setting. Finally, while a user can change most attributes of their own jobs, a handful of attributes require that the user have *JOBCTL—even when changing their own jobs. These are RUNPTY, TIMESLICE, PURGE, DFTWAIT, and TSEPOOL. That’s why, I believe, many vendors ship the profile that owns their applications with *JOBCTL and have programs that adopt the owner’s authority.
Bottom line: You’ll want to pay more attention to users who have *JOBCTL.
*IOSYSCFG Special Authority
*IOSYSCFG allows users to create and change objects used for communications, modify TCP/IP settings, and something I just became aware of this past year: create file shares.
Our team discovered this when we were doing a penetration-testing engagement. We discovered a profile with a default password, and it had *IOSYSCFG special authority. With that authority, we were able to create a read/write file share to root (/).
While modifying your communication settings could be highly disruptive to your organization, having a read/write share to root leaves your entire IBM i system vulnerable to malware if a user mapped to the share happens to click on the wrong link or download an infected attachment. *IOSYSCFG special authority should be assigned to system administrators and perhaps operators in smaller organizations.
Users assigned this special authority should be taught about the dangers of defining a share to root so they don’t open up the system to this risk simply for the sake of their own convenience.
*SAVSYS Special Authority
*SAVSYS special authority allows the person to save or restore any object on the system. This special authority is to be granted to those users in the operator and system administrator roles.
*SAVSYS is not appropriate for developers, although I often see it assigned to that role. I’m guessing that’s because, back in the early days of AS/400 (yes, that long ago), *SAVSYS was assigned when creating a user into the *PGMR user class. That’s no longer the case and hasn’t been for quite some time. But between that and the fact that QPGMR continues to have *SAVSYS, programmers continue to be assigned *SAVSYS. What’s the big deal with programmers having this authority?
First, many think that one needs *SAVSYS to save anything. That’s not the case. If you have *OBJEXIST authority, you can save an object. Granting users *SAVSYS allows them to save any object—even if they have no authority to it. Do you really want your developers to be able to save any object? Typically not.
Second, *SAVSYS is especially dangerous when assigned to developers on the development system. You do not want to provide them with the ability to save a program object from their own development library and restore it into the production-level library, bypassing the change management process.
*SERVICE Special Authority
Since the Start System Service Tools (STRSST) command began requiring sign on by a separate service tool ID, assigning *SERVICE special authority isn’t as dangerous as it once was. It’s still plenty powerful, however, allowing the users to run traces, work with disk units, and, if the user has *USE to a program, debug it. *SERVICE special authority should be assigned to the system administrator role.
Discovering the Details
To discover—or at least get a feel for—the types of tasks each special authority enables, scan through Appendix D in the IBM i Security Reference manual. (Be sure to use the manual that corresponds to the operating system version you’re running as requirements occasionally change from release to release.) Search through Appendix D for each of the special authorities, and you’ll find footnotes indicating when the special authority is required for running a particular command.