Dan,

I recently saw a newsletter article in which you talked about customers forgetting to secure the versions of CL commands in the QSYS38 library (i.e., System/38 environment commands).

I just wanted to bring two other CL command security exposures to your attention and tell you how IBM has addressed these exposures.

First, when an IBM product is installed, the product's commands are copied into the QSYS library. This makes the product's commands easy to find using the library list, because the user does not have to add the product library to the library list. For example, the STRSQL command ships in library QSQL and gets copied to library QSYS during the install of the SQL licensed program.

The security exposure in this process is that the customer secures the command in QSYS and forgets about the command in the product library.

To mitigate this risk, a change was made in V5R4 so that when an IBM licensed program is installed, the "copy" still occurs, but the command created in the QSYS library is a proxy command, which simply points to the command to be run. In this case, the proxy command will point to the regular command shipped in the licensed program's product library.

There is still an exposure if the customer secures the proxy command in QSYS and forgets about the regular command in the product library, but the improvement is that the customer only needs to secure the regular command in the product library, because the proxy command will check that the user has *USE authority to the target command pointed to by the proxy command.

The second exposure occurs when there are national language versions installed on the system. National language versions include copies of translatable objects for each language. For example, if the primary language on the system is English, but there are national language versions installed for Spanish, French, Italian, and German, then there are a total of five copies of all translatable objects (e.g., display files and message files) which would be shipped in secondary language libraries named QSYS29nn, where 'nn' is a two-digit number identifying the national language version.

Before 6.1, all CL commands for IBM products were built as translatable objects and were shipped in the QSYS29nn secondary language libraries. So if the system has Spanish, French, Italian, and German secondary languages installed, there would be five copies of IBM CL commands. If a customer wanted to lock down the CRTLIB command, they would have to secure the command in library QSYS as well as the other four copies of CRTLIB in the four QSYS29nn secondary language libraries.

To remedy this, a change was made in 6.1 to add new support for commands to enable dynamic prompting of command prompt text messages. With this support, commands can be shipped as non-translatable objects, allowing commands to be shipped only in the product library and be deleted from secondary language libraries.

For example, a customer who wants to secure the CRTLIB command only needs to lock down the command in the QSYS library.

Put together, these two enhancements (proxy commands and dynamic prompt text message retrieval) enabled IBM to install a single regular version of a command into the product library of the licensed program. For example, the only copy of STRSQL which would need to be secured would be the one shipped in the QSQL library. There are no longer any copies of STRSQL in any secondary language libraries and the proxy command version of STRSQL in library QSYS points to STRSQL in library QSQL, which requires an authority check to run.

One last note on this topic is that there are non-functional copies of STRSQL shipped in libraries QSYSV5R3M0 and QSYSV5R4M0. These commands do not need to be secured because they are used only for command syntax checking when creating CL programs for prior releases. Attempting to run commands in these previous release libraries will generate syntax error CPD0118 (Command &1 not valid for current release.)

Whatever release a customer is using, they can use WRKCMD *ALL/cmd-name to find all instances of a command named "cmd-name." If the command instance is a proxy command, they don't have to secure it (use the DSPCMD command to check if the command instance is a proxy command). If the command instance is in a library named QSYSVxRyMz, you don't need to secure it, because these commands are shipped as non-functional. But if the command is in a QSYS29nn secondary language library, the command will need to be secured (note that this security exposure goes away for all IBM products that shipped a new release for 6.1).

Guy Vig, IBM i System Design Consultant