SecureMyi.com Security and Systems Management Newsletter for the IBM i March 12, 2014 - Vol 4, Issue 4
Using Adopted Authority for Password Resets
By Dan Riehl
Sometimes IBM i Special Authorities are required by users that are not system administrators or security officers. For example, when users forget their passwords or disable their profiles through excessive failed attempts to log in, the helpdesk personnel or operations staff need the ability to reset the password and re-enable the user profile. The Special Authority required to perform these functions is called Security Administrator (*SECADM) Special Authority. In practice, All Object (*ALLOBJ) Special Authority is also needed to be able to perform these sensitive password resets. *ALLOBJ Special Authority is needed to ensure that the Help Desk or Operations Staff have enough authority to the User Profiles that they need to reset. Normally, User Profiles are created with a *PUBLIC authority of *Exclude, allowing changes only by very powerful system administrators which have *ALLOBJ and *SECADM special authority.
The simple solution is to just give all these Help Desk and Operations users *SECADM and *ALLOBJ special authority, however, *SECADM and *ALLOBJ special authority also lets users create and change other attributes of user profiles, and *ALLOBJ provides unrestricted access to all files, libraries, programs, etc. You do not want to give these users carte blanche to create and change user profiles at will, and you really do NOT want to give them full access to all *SECADM and *ALLOBJ special authority full time. You want to give them only the ability to reset passwords and status for selected user profiles. After all, you don't want to give the Help Desk and Operations staff the ability to reset the passwords for QSECOFR and other powerful profiles. You also do not want them to have the *ALLOBJ authority, to be able to change payroll amounts or view/change other sensitive data. This article discusses a very good method to allow a user to 'borrow' the *SECADM and *ALLOBJ authority required to reset a user profile, but then return that borrowed authority as soon as that distinct task is completed. This method prevents the use of the borrowed authority to do tasks that are beyond the user's scope or responsibility.
Borrowing Special Authority
One of the best methods to provide temporary use of the *SECADM and *ALLOBJ special authority is to use the IBM i facility called Program Adoption of Authority(PAA). Adoption of authority provides for temporary use of an elevated level of authority to perform functions that the user is not normally authorized to do. Here we deal with adopting the *SECADM and *ALLOBJ special authority to allow a user to reset a user profile status and password.
The Big Picture
The adopted authority technique can be used to adopt any special authority, with an ultimate view of removing, as much as possible, the assignment of any User Special Authorities.
The RESETUSER Command
The purpose of the RESETUSER command is to give a help desk or operations user the temporary authority to reset the password and/or status of a user profile.
The command consists of two parts, the command definition and the CL program. In order to secure the command and program, and to configure the program adoption of authority correctly, there are instructions for creating the command and the program. These step by step instructions are found at the end of the article.
SafeGuards in RESETUSER
We need to ensure that this command is not improperly used to reset the IBM-supplied user profiles like QSECOFR and QSYSOPR. You also want to ensure that the command cannot be used to reset the passwords for users who have powerful special authorities, such as *ALLOBJ, *SERVICE, *SAVSYS, *AUDIT, *IOSYSCFG and *SECADM. If these could be reset, it would provide a way for the user of the command to set a password for the powerful profiles, sign on as that profile, and perform unauthorized activities.
Note: You may also want to prohibit the user of the command to reset the password for certain power users, like the Accounting Manager, or Programming Manager. To do this, simply insert your own rules into the CL program code at the appropriate spot.
Examining the Code
The RESETUSER command definition accepts four parameters:
Figure 1 The RESETUSER Command Definition
/* Reset User Profile Command Definition */ /* Command Processing program is RESETUSERC */ /* Dan Riehl – www.SecureMyi.com */ CMD PROMPT('Reset User') PARM KWD(USER) TYPE(*NAME) MIN(1) EXPR(*YES) + PROMPT('User Profile') PARM KWD(PASSWORD) TYPE(*CHAR) LEN(10) + DFT(*USRPRF) SPCVAL((*USRPRF) (*SAME)) + EXPR(*YES) DSPINPUT(*PROMPT) PROMPT('User + Password') PARM KWD(EXPIRED) TYPE(*CHAR) LEN(4) RSTD(*YES) + DFT(*YES) VALUES(*YES *NO) PROMPT('Set + Password Expired') PARM KWD(STATUS) TYPE(*CHAR) LEN(9) RSTD(*YES) + DFT(*ENABLED) VALUES(*ENABLED *DISABLED) + PROMPT('Set to Status')
Figure 2 The Command Processing Program
Every command must have a command processing program. The program used by the RESETUSER command is the CL program RESETUSERC.
/* Command Processing program for RESETUSER Command */ /* Dan Riehl – www.SecureMyi.com */ PGM (&User &Password &Expired &Enabled) DCL &User *CHAR 10 DCL &Password *CHAR 10 DCL &Expired *CHAR 4 DCL &Enabled *CHAR 9 DCL &SpcAut *CHAR 100 DCL &StrPos *Int DCL &CurUser *CHAR 10 DCL &Job *CHAR 10 DCL &JobNbr *CHAR 6 DCL &Audit *CHAR 200 DCL &CrtUser *CHAR 10 /* Parms for Error Handling */ DCL &MsgID *CHAR 7 DCL &MsgF *CHAR 10 DCL &MsgFLib *CHAR 10 DCL &MsgDta *CHAR 512 MONMSG CPF0000 EXEC(GOTO ERROR) /* Ensure that the profile being reset is not IBM Supplied */ RTVOBJD OBJ(&User) OBJTYPE(*USRPRF) CRTUSER(&CrtUser) IF (&CrtUser = '*IBM') + GOTO BREACH /* Ensure that the profile being reset does not start with 'Q' */ IF (%sst(&User 1 1) = 'Q') + GOTO BREACH /* Ensure that the profile being reset is not a powerful profile */ RTVUSRPRF USRPRF(&User) SPCAUT(&SpcAut) GRPPRF(&GroupPrf) /* Check User's Primary Group Profile for a Powerful Group */ /* Supplemental groups are not considered in this routine */ GROUP: IF (&GroupPrf = 'ADMINS' *OR &GroupPrf = 'SECOFRS') + GOTO BREACH /* Check for User Profile Powerful Special Authorities */ SPECAUT: DOFOR VAR(&StrPos) FROM(1) TO(100) BY(10) IF (%SST(&SpcAut &StrPos 10) = '*ALLOBJ' + *OR %SST(&SpcAut &StrPos 10) = '*SECADM' + *OR %SST(&SpcAut &StrPos 10) = '*SERVICE' + *OR %SST(&SpcAut &StrPos 10) = '*AUDIT' + *OR %SST(&SpcAut &StrPos 10) = '*IOSYSCFG' + *OR %SST(&SpcAut &StrPos 10) = '*SAVSYS') + GOTO BREACH ENDDO /* Reset the Profile */ IF (&Password = '*USRPRF') + ChgVar &Password &User CHGUSRPRF USRPRF(&User) PASSWORD(&Password) + PWDEXP(&Expired) STATUS(&Enabled) /* Get the Reset Message and re-send to the User */ RCVMSG MSGTYPE(*LAST) + MSGDTA(&MsgDta) + MSGID(&MsgID) + MSGF(&MsgF) + SNDMSGFLIB(&MsgFLib) SNDPGMMSG MSGID(&MsgID) + MSGF(&MsgFLib/&MsgF) + MSGDTA(&MsgDta) + MSGTYPE(*Comp) ENDOK: RETURN /* Normal End of Program */ BREACH: /* Tell everyone about this attempted breach */ RTVJOBA JOB(&Job) USER(&CurUser) NBR(&JobNbr) CHGVAR VAR(&Audit) VALUE(&JobNbr *TCAT '/' *CAT + &CurUser *TCAT '/' *CAT &Job *BCAT + 'attempted an unauthorized user profile + reset on user' *BCAT &User *TCAT '.') /* Tell the Operator about the breach */ SNDMSG MSG(&Audit) TOUSR(*SYSOPR) /* Write U9 Entry to the audit journal, if it exists */ SNDJRNE JRN(QAUDJRN) TYPE('U9') ENTDTA(&Audit) MONMSG CPF9801 /* Ignore if it does not exist */ SNDPGMMSG MSGID(CPF9898) + MSGF(QCPFMSG) + MSGDTA('Not authorized to reset the user + profile for' *BCAT &User) + MSGTYPE(*Escape) /* Exit this program */ /* Sending the *Escape message will end the program */ ERROR: RCVMSG MSGTYPE(*LAST) + MSGDTA(&MsgDta) + MSGID(&MsgID) + MSGF(&MsgF) + SNDMSGFLIB(&MsgFLib) MONMSG CPF0000 /* Just in case */ SNDPGMMSG MSGID(&MsgID) + MSGF(&MsgFLib/&MsgF) + MSGDTA(&MsgDta) + MSGTYPE(*Escape) MONMSG CPF0000 /* Just in case */ ENDPGM
The program accepts the four parameters from the command definition as shown in the PGM command. The four parameters and other required variables are declared using the DCL commands. The program level message monitor (MONMSG) follows. This MONMSG causes control to pass to the ERROR label if an unexpected error occurs.
The program then retrieves the user profile description to determine who created the user profile that you are changing. If the Created by User (CRTUSER) is *IBM, the profile was created and supplied by IBM, and therefore the program considers this a security breach, and passes control (GOTO) to the BREACH label.
Likewise, if the User Profile begins with the letter 'Q', it is assumed to be an IBM supplied profile, and again, it is handled as a breach. Next, the program retrieves the primary group profile and the special authorities that have been assigned to the user profile being changed. The special authorities are returned into the &SpcAut variable that is 100 characters long. These 100 characters are actually an array of ten 10-character fields, and each 10 characters can contain one of the special authorities. So, characters 1-10 can contain a special authority, characters 11-20 can contain another special authority, and so on through position 91-100. The DOFOR loop runs through the array in 10-character chunks looking for powerful special authorities. If any of the powerful special authorities are found, the program considers this a security breach and passes control to the BREACH label.
Note: For the purposes of this utility, *JOBCTL and *SPLCTL are considered not powerful. This is because most of the systems that I have seen give *JOBCTL and *SPLCTL to many end users, and we want the program to be useful, as is. So, even though *JOBCTL and *SPLCTL are VERY VERY powerful, this program will allow the help desk to reset a profile for a user that has one or both of these special authorities.
Note: There are times when Group Profiles are used in the assignment of Special Authorities. A Special Authority assigned to any of a user's groups, is inherited by the user. So, rather than run through the Special Authorities loop with all the user's groups(Up to 16 groups), the program simply checks to see if the User Profile to be changed are in one of the powerful groups, ADMIN and SECOFR. Replace these names with your Powerful Group Profile names.
If no powerful special authorities are found, the profile change is performed, and the message generated by the CHGUSRPRF command is received and re-sent to the user as a completion message. The program ends at the ENDOK label with the RETURN command.
The BREACH Code
If a breach is detected, control passes to the BREACH label. The first step at the breach label is to retrieve information about who caused the breach and to format a breach message &AUDIT. The message is sent to the System Operator, and then sent to the system security audit journal QAUDJRN, if it exists. The Journal Type is set to 'U9', but you can select another journal code if 'U9' is already in use.
An *ESCAPE message indicating that this current user is not authorized to reset the user profile is then sent to the user who attempted the breach. (Many folks don't know that when a CL program sends an *ESCAPE message, the program immediately ends. It will not execute any more statements. It's done.)>p>After the breach code, there is some standard error handling code that will execute in the event of an unexpected error.
Building the Command
First create the CL Program RESETUSERC from the source code provided. Make sure that you specify the compiler options as shown below. The USER parameter on the CRTCLPGM command specifies *OWNER, which accomplishes the program adoption of authority function. The AUT(*EXCLUDE) value is used to make sure that the command cannot be used by unauthorized users.
After you create the program, change the owner of the program to a user with both *ALLOBJ and *SECADM special authority. This allows the user of the command to adopt sufficient authority to change user profiles. The example shows QSECOFR as the new owner, which will work fine unless your security policy will not permit this, in which case choose a different user with *ALLOBJ and *SECADM special authority in their User Profile.
You then need to grant *USE authority (GRTOBJAUT) to the RESETUSERC program to only those users that you want to use the RESETUSER command.
Then create the command RESETUSER. If you want to limit where this command can be used (e.g., interactive use only), set the CRTCMD parameters accordingly. Make sure to specify AUT(*EXCLUDE) to protect the command from unauthorized use.
You then need to grant *USE authority (GRTOBJAUT) to the command itself to only those users you want to use the RESETUSER command.
Only a Start
While this is a very useful program, it is only a start. Review who has special authorities using the PRTUSRPRF(Print User Profile) command, and get rid of unneeded ones. After all, Sam in the accounting department probably does not really need *ALLOBJ and *SPLCTL special authority.
Instructions for the RESETUSER command
To see the breach audit journal entries in the QAUDJRN journal, use the command:
DSPJRN JRN(QAUDJRN) ENTTYP(U9)
To create the Program:
When Library-Name is shown, replace with the name of your library.
CRTCLPGM PGM(Library-Name/RESETUSERC) SRCFILE(Library-Name/QCLSRC) SRCMBR(RESETUSERC) USRPRF(*OWNER) LOG(*NO) ALWRTVSRC(*NO) AUT(*EXCLUDE) CHGOBJOWN OBJ(Library-Name/RESETUSERC) OBJTYPE(*PGM) NEWOWN(QSECOFR) GRTOBJAUT OBJ(Library-Name/RESETUSERC) OBJTYPE(*PGM) USER(HELPDESK) AUT(*USE) REPLACE(*YES)
Assumes the users in the group HELPDESK will be allowed to use the program.
To create the command:
CRTCMD CMD(Library-Name/RESETUSER) + PGM(Library-Name/RESETUSERC) + SRCFILE(Library-Name/QCMDSRC) AUT(*EXCLUDE) GRTOBJAUT OBJ(Library-Name/RESETUSER) OBJTYPE(*CMD) USER(HELPDESK) AUT(*USE) REPLACE(*YES)
Assumes the users in the group HELPDESK will be allowed to use the command.
Note: As with all new programs, test these routines thoroughly before placing them into a production environment.
About the Author
Dan performs IBM i security assessments and provides security consulting, remediation, forensic evaluations, and other customized security services for his clients. He also provides training in all aspects of IBM i security and other technical areas through The 400 School, Inc.