| Author |
Message
|
| bruce2359 |
 Posted: Mon Nov 09, 2009 2:40 pm Post subject: |
 |
|
Poobah
Joined: 05 Jan 2008
Posts: 9482
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| added the userid to mqm group and it works fine |
And you did this disregarding the advice in prior posts?
You have successfully solved a technical problem, AND created a security exposure.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
 |
| John89011 |
| Posted: Mon Nov 09, 2009 2:45 pm Post subject: |
|
|
Voyager
Joined: 15 Apr 2009
Posts: 94
|
| Well.. it's only a test box so to me it really does not matter. I tried playing with MCA user ID but that did not get me anywhere. IF this was Productoin I would most likely take a different approach. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Nov 09, 2009 2:54 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9482
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| it's only a test box |
Once you demonstrate that this can be done (with all the well-documented risks of adding non-admin users to the mqm group), you will likely be directed to do the same in production.
Mqm group membership allows this userid ALL administrative authorities - including control programs and MQSC. Yes, they only asked for access to the command queue (risky enough), but you gave them the world.
Best of luck getting it back.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| John89011 |
| Posted: Mon Nov 09, 2009 3:10 pm Post subject: |
|
|
Voyager
Joined: 15 Apr 2009
Posts: 94
|
Now you're making me feel bad  but here's the thing.. they have the same access in Production (it's been there for years, before my time) I can not tell them NO to dev if they have access to prod. However, I am willing to learn so I'd continue to look for altrenatives. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Nov 09, 2009 7:38 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| John89011 wrote: |
| they have the same access in Production (it's been there for years, before my time) |
Has anyone mentioned this to however does your security & audit? Or is this "it's been like this for years, never caused a problem yet" situation?
Many, many, many years ago when I started working I was astonished to find out my supervisor (a woman of a certain age) was paid in cash. Literally. The departmental manager came round every month with our payslips and direct credit notes, and a padlocked sack of money for her. Her reasoning was that she didn't trust the accounts people or banks, liked to count out the money on her desk then take it to her bank and count it out to the teller. Been doing that all her working life (2 decades at this point) and never had any problems.
I bet you've already guessed where this is going eh?
My point is because something was set up before you started, and has been working without problems for ages, doesn't make it a good thing.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Nov 10, 2009 7:17 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9482
Location: US: west coast, almost. Otherwise, enroute.
|
Since mqm group membership has granted all rights to a username that only wants to put msgs to the command queue to display stuff, you might want to consider making the username one that can't log on. This will somewhat limit the damage that id can do.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| WMBDEV1 |
| Posted: Tue Nov 10, 2009 7:21 am Post subject: |
|
|
Sentinel
Joined: 05 Mar 2009
Posts: 888
Location: UK
|
| Vitor wrote: |
I bet you've already guessed where this is going eh?
|
You took the sack of money off her while nobody was looking?
Thats my guess anyway  |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Nov 10, 2009 7:33 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| WMBDEV1 wrote: |
| Vitor wrote: |
I bet you've already guessed where this is going eh?
|
You took the sack of money off her while nobody was looking?
Thats my guess anyway |
Doubloons, or pieces of eight I wonder - bearing in mind how long Vitor has been around...? (or guineas, groats etc.)
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Nov 10, 2009 8:31 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| WMBDEV1 wrote: |
| Vitor wrote: |
I bet you've already guessed where this is going eh?
|
You took the sack of money off her while nobody was looking?
Thats my guess anyway |
Good guess but I have an alibi for the time in question. The guy who did snatch the bag as she left the office hit the jackpot. The slime also hit her in the face.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Nov 10, 2009 8:35 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| exerk wrote: |
| Doubloons, or pieces of eight I wonder - bearing in mind how long Vitor has been around...? (or guineas, groats etc.) |
Just because you had trouble spending those roman coins I paid your last Xmas bonus with. They worked fine in the market when I made them; centurian could never prove a thing.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
