IBM Support

SE77758 - OSP-CERT FILE SYSTEM ACCESS IN DCM WITH LOW AUTHORITY USER

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR (Authorized Program Analysis Report)

Abstract

OSP-CERT FILE SYSTEM ACCESS IN DCM WITH LOW AUTHORITY USER

Error Description

When using a low authority user, it is possible to request the  
DCM UI to display a screen intended for a system administrator  
by setting the "isSecAdm" DCM flag to 'true' on the client.    
With the full menu displayed, the low authority user is able to
click on buttons to send DCM action requests including the      
ability to browse the file system for objects.                  

Problem Summary

When using a low authority user, it is possible to request the  
DCM UI to display a screen intended for a system administrator  
by setting the "isSecAdm" DCM flag to 'true' on the client.    
With the full menu displayed, the low authority user is able to
click on buttons to send DCM action requests including the      
ability to browse the file system for objects.                  

Problem Conclusion

IBM Digital Certificate Manager for i is designed to be used by
low authority users to download CA certificates into their      
browsers when the user has been given *RX access to the CA      
certificate files.  As such, there are two menus to display    
based on a user's authority.  The full menu is intended for    
users with *ALLOBJ and *SECADM authority, a shorter menu is for
users without those special authorities.  Regardless of which  
menu is presented, the actions that are requested are controlled
by authority checks on IBM i so only the authorized logged in  
user can perform the intended requests via DCM UI.              
                                                               
The fix which is provided will ensure that users accessing DCM  
are only able to request the actions they are expected to      
perform via the DCM UI.  For users that do not have *ALLOBJ and
*SECADM special authority, any browsing of the file system via  
DCM is prevented.  Attempting to get a list of existing        
certificate stores returns an empty list.  Attempting to perform
actions such as creating a certificate store results in an      
authority error.                                                
                                                               
These extra controls have been added to the DCM UI to reduce    
actions for users before the authority checks are performed by  
the IBM i operating system.                                    

Temporary Fix

Comments

Circumvention


PTFs Available

R730 SI79618  2335

R740 SI79619  2328

R750 SI79620  2321

Affected Modules


         
         

Affected Publications

Summary Information

Status............................  CLOSED PER
HIPER.............................  No
Component.........................  5770SS1DC
Failing Module....................  RCHMGR
Reported Release..................  R730
Duplicate Of......................  




IBM i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0; 7.4.0; 7.5.0","Product":{"code":"SWG60","label":"IBM i"},"Component":"5770SS1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
02 December 2022