Security and Systems Management Newsletter for the IBM i                 November 12, 2014 - Vol 4, Issue 19
Security Training from Skyview
Security software from Powertech

Skyview Partners

Software from Cilasoft

Training from The 400 School

Create User Profile - Forcing Policy on IBM i.

By Dan Riehl

When creating User Profiles on the IBM i, whether through a Control Language command like Create User Profile (CRTUSRPRF) or through the IBM i Navigator for Windows interface, you have the option to include your own customized processing when the profile is created. Through this customised processing, you can help enforce your security policy regarding the creation of User Profiles.

In the October 22, 2014 issue of the SecureMyi Security Newsletter, I presented an article on how a simple flaw in the creation of a User Profile could render the profile as vulnerable to being "hyjacked". The article presented here will provide you with a tool that will allow you to enforce strict policy on the creation of User Profiles so that newly created profiles will not be subject to that User Profile simple flaw.

IBM has established and documented an "Exit Point" for the Create User Profile operation. An exit point is a place in the process in which you can include your own custom logic (i.e. an exit program) to perform additional tasks. In this article we will examine adding your own logic to the Create User Profile process.

There are two operations that must be performed when implementing any exit program. The first is to create the exit program, the second is to register your exit program with the operating system, which "turns ON" your custom logic. We'll discuss how to perform both of these steps.

The Exit Program

The exit program can be written in just about any language: CLP, CLLE, CLE, RPG, RPGLE, CBL, etc. It can be an ILE(Integrated Language Environment) program or an OPM(Original Program Model) program.

In this sensitive task of adding logic to the Create User Profile operation, you'll want to make sure that the exit program is secured against potential abuse. Only give *USE authority to those users that create your user profiles, *PUBLIC authority should be set to *EXCLUDE.

The exit program runs within the same job as the Create User Profile function. So the current user of the job that is creating a new user profile will also be the user running the exit program. and so must have authority to the program.

When Using Adopted Authority to Create User Profiles

Some organizations do not assign powerful special authorities to the users that create and maintain User Profiles. Instead, they use an adopted authority scheme which allows the users to temporarily assume the authority of a more powerful user through an operating system feature called Program Adoption of Authority.

One important technical issue about your Create User Profile exit program is that if the job that is creating the new user profile is running under adopted authority, that adopted authority is NOT passed to the exit program.

So, if your Create User Profile exit program is going to perform sensitive operations,(e.g., change the new user's password, change the owner of the profile, registering the user in the distribution directory), the exit program itself must adopt the authority of a powerful "Security Officer" type user profile. To accomplish this, change the owner (CHGOBJOWN) of the exit program to QSECOFR(or other powerful user) and specify the USRPRF(*OWNER) parameter on the CRT**PGM command that is used to create the exit program. These actions will cause your exit program to temporarily adopt the authority of the powerful user profile, supplying the ability to perform actions that would otherwise be restricted.

(Note: If your users that create user profiles have powerful "Security Officer" type user profiles, you do not to be concerned about the adopted authority issues presented here. This is only for cases in which adopted authority is being used to provide access to the Create User Profile function.)

What Will You Do in Your Exit Program?

The Create User Profile exit program is called whenever anyone creates a new User Profile. The exit program receives one lump of data, as a parameter, which contains a few different pieces of information, including the name of the user profile that has just been created (the most important part).

If the user that is creating the users profile is a powerful user, or if the exit program adopts the authority of QSECOFR, or a similar powerful user profile, there are really no limits on the actions that can be performed in the exit program. It is only limited by what the current user or the adopted user is allowed to do.

Here are some examples of some useful functions that can be performed in the Create User Profile exit program:

  • Change the owner of the newly created user profile to QSECOFR
  • Set the *PUBLIC Authority to the new profile to *EXCLUDE
  • Add the user to the System Distribution Directory (WRKDIRE, ADDDIRE))
  • Send the information about the new user profile to another system
  • Set the new password and password expiration interval to a mandated initial value and set the status and other profile attributes. (You can set any user profile attribute in the exit program.)
  • Create a current library and home directory for the new user
  • Add the user to your own Business Application Menu system
  • Send a message to a message queue, or send an email alert if you are configured for e-mail
  • Etc - Implement your Security Policy!

Example Exit Program: Change User Profile Owner

Over the years I have advocated that all user profiles that we create should be owned by QSECOFR, Should be set to *PUBLIC AUT(*EXLUDE) and that NO User should have private authorities to other users' User profiles.

Again, I point you to the October 22, 2014 issue of the SecureMyi Security Newsletter, that explains the vulnerabilities when your user profiles are not secured correctly and not owned in accordance to best security practices for IBM i.

Presented here is a simple Control Language program that can be used as an exit program that will enforce the policy that all newly created user profiles will be owned by QSECOFR.

The exit program receives an input parameter and from that input value extracts the name of the newly created user profile. It then sets the ownership of that new user profile to QSECOFR, and revokes the current owner's authority. If the program is being run by QSECOFR, it does not change the ownership.

Error handling code makes up the bulk of the exit program code. But as a safety mechanism, IBM has implemented their own safety features, so that if an error occurs in your exit program, it does not affect the original user profile creation. The only thing affected is that the desired end result of your exit program may not be realized.

The Exit Program: All New Profiles are Owned by QSECOFR

/*  Program name..... CRTPRFEXIT                                 */

/*  You may freely use this code as long as the Copyright        */
/*  and Authorship information is retained in this source member */

/*  No warranty of any kind is expressed or implied.             */  
/*  Copyright 2011-2014 - IT Security and Compliance Group       */
/*  Author….. Dan Riehl                       */ 

/* If the program will be used by a user that does not have      */
/* *SECADM and *ALLOBJ special authority, this                   */ 
/*  Exit program must Adopt QSECOFR  USRPRF(*Owner)              */
/*  AUT(*EXCLUDE), AUT(*USE) for GROUP that Creates Profiles     */
/*    This program will set the owner of newly created           */
/*    User profiles to QSECOFR.                                  */
/*  The IBM Registered Exit point is QIBM_QSY_CRT_PROFILE        */
/* CL Command to add the exit program to the exit point          */
/*             FORMAT(CRTP0100) PGMNBR(*HIGH) +                  */
/*             PGM(Library-name/CRTPRFEXIT) TEXT('Change the +   */
/*                 owner of new profiles to QSECOFR')            */
             PGM        PARM(&Exit_Info)                           
             DCLPRCOPT  USRPRF(*OWNER) AUT(*EXCLUDE)            
             DCL   &Exit_info *CHAR 38                          
             DCL   &user     *CHAR 10                           
             DCL   &curuser  *CHAR 10                           
        /* Message handling variables  */                       
             DCL   &msgid   *CHAR 7                             
             DCL   &msgf    *CHAR 10                            
             DCL   &msgflib *CHAR 10                            
             DCL   &msgdta  *CHAR 100                           
             MONMSG  MSGID(CPF0000) EXEC(GOTO ERROR)            
             RTVJOBA    CURUSER(&CURUSER)                       
             IF         COND(&CURUSER = 'QSECOFR') THEN(GOTO +  
             CHGVAR     VAR(&USER) VALUE(%SST(&EXIT_INFO 29 10))      
 Endit:      RETURN     /* Normal end of program */                   
 ERROR:      RCVMSG     MSGTYPE(*LAST) MSGDTA(&msgdta) MSGID(&msgid) +
                          MSGF(&msgf) SNDMSGFLIB(&msgflib)            
             MONMSG CPF0000 /* Just in case  */                                                    
             SNDPGMMSG  MSGID(&msgid) MSGF(&msgflib/&msgf) +          
                          MSGDTA(&msgdta) MSGTYPE(*ESCAPE)            
             MONMSG CPF0000 /* Just in case  */                       

About the Code

The DCLPRCOPT CL command is relatively new. Detail on its use can be found here at the IBM InfoCenter.

DCLPRCOPT allows you to specify, among other things, compiler options that will override the options entered on the CRTCLPGM or CRTBNDCL. In this example, I force the program options of USRPRF(*OWNER) and AUT(*EXCLUDE) to make the program adopt authority and to set *PUBLIC authority to *EXCLUDE.

Registering the Exit Program

In order to make your exit program active, you add the program to the exit point registry using the command Work with Registration Information (WRKREGINF), or you can use the Add Exit Program (ADDEXITPGM) command, as shown here:

            FORMAT(CRTP0100) PGMNBR(*HIGH) +                  
            PGM(Library-name/CRTPRFEXIT) TEXT('Change the +   
                owner of new profiles to QSECOFR')            

What's Next?

You can very easily implement this simple exit program. Possibly you may only want the exit program to send you a message when a new User Profile is created. You can perhaps try that first to get comfortable with the exit program concept. You may then continue to add levels of complexity and usefulness to your exit program.

As with all new code, test it thoroughly before implementing it in production.

While it's quite easy to just copy and paste the code, you can download a text file containing the source code here.

Additional Related References

About the Author

Dan Riehl is the Editor of the SecureMyi Security Newsletter and a Security Specialist for
the IT Security and Compliance Group

Dan performs IBM i security assessments and provides security consulting, remediation, forensic evaluations, and other customized security services for his clients. He also provides training in all aspects of IBM i security and other technical areas through The 400 School, Inc.

Dan Riehl on LinkedIn

Training from

© Copyright 2014 - IT Security and Compliance Group