Notes/Domino Fix List
 |  |
| SPR # CROS4FRSQ8 | Fixed in 5.0.2c release |  |
Product Area: Server Technical Area: Install Platform: AS/400
SPR# CROS4FRSQ8 - WRKDOMSVR security integrity fix
Technote Number: 1103046
Problem:
This can occur if somebody has granted the QNOTES user profile more authority
than it should have. By default, the QNOTES user profile should only have
*IOSYSCFG special authority. In the above case, someone has given QNOTES
*ALLOBJ and *JOBCTL special authority. The STRDOMSVR, ENDDOMSVR, and WRKDOMSVR
commands use adopted authority. They adopt the authority of the owner of the
program that those commands run.
For example, the STRDOMSVR commands runs the QNNINSDS program in library
QNOTES. The QNNINSDS program is owned by user profile QNOTES. Whoever issues
a STRDOMSVR command, will temporarily adopt whatever authorities that QNOTES
has. In this case, QNOTES has *ALLOBJ and *JOBCTL, so they have enough
authority to start the Domino server.
In this case, revoke *ALLOBJ and *JOBCTL from the QNOTES user profile.
CHGUSRPRF USRPRF(QNOTES) SPCAUT(*IOSYSCFG)
Once you finish running the above command, a DSPUSRPRF QNOTES should display as
follows (Figure 1):
(notice the Special authority field is only *IOSYSCFG now.)
Figure 1:
Supporting Information:
Related Documents:
An Example of Adopted Authority on the AS/400
Document #: 177205 More >
 A fix for this SPR has been developed but is currently undergoing testing. IBM reserves the right to remove this fix from the targeted release if it does not pass quality assurance tests. Please consider this information to be provisional. Do not base irreversible business decisions on this information until this notice has been removed.
 |
Last Modified on 04/03/2001
Go back
|