IBM Power Ideas Portal
This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Specific links you will want to bookmark for future use
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
IBM Power Systems Development
Encryption might be a different topic (besides IFS and object access) to be realized
either by Operating system or by the user. A list of COVID19 positive tested people
never should be saved unencrypted :)
Main concern is to find out about user names or installed software to get
an attack vector.
So a big security concern is what would happen if a file on the IFS contained highly confidential information, such as the employees who tested positive for COVID19 or HIV. How can that data be proper protected; and maybe even subject to encryption. The IFS represents a security vulnerability not being well thought out by many organizations. What can IBM do to protect these firms from themselves?
The CAAC has reviewed this requirement and recommends that IBM view this as a high priority requirement that is important to be addressed. On a parent library or directory, the objects below, which are set to *EXCLUDE should not be seen/identified by those who have authority to the parent library/directory.
Background: The COMMON Americas Advisory Council (CAAC) members have a broad range of experience in working with small and medium-sized IBM i customers. CAAC has a key role in working with IBM i development to help assess the value and impact of individual RFEs on the broader IBM i community, and has therefore reviewed your RFE.
For more information about CAAC, see www.common.org/caac
For more details about CAAC's role with RFEs, see http://www.ibmsystemsmag.com/Blogs/i-Can/May-2017/COMMON-Americas-Advisory-Council-%28CAAC%29-and-RFEs/
Nancy Uthke-Schmucki - CAAC Program Manager
IBM will use this request as input to planning but no commitment is made or implied. This request will be updated in the future if IBM implements it. IBM will use votes and comments from others in the community to help prioritize this request.
IBM has received the requirement and is evaluating it. IBM will provide a response after evaluation is complete.
Due to processing by IBM, this request was reassigned to have the following updated attributes:
Brand - Servers and Systems Software
Product family - Power Systems
Product - IBM i
Component - Security
Operating system - IBM i
Source - Client
For recording keeping, the previous attributes were:
Brand - Servers and Systems Software
Product family - Power Systems
Product - IBM i
Component - Core OS
Operating system - IBM i
Source - Client
The CEAC has reviewed this requirement and recommends that IBM view this as a HIGH priority requirement that is important to address.
This RFE would make IBM i more securable as it addresses a feature of IBM i that allows enumeration of objects that the user does not have access to. It closes off an avenue of collecting data that can be used in targeted attacks and or the creation of Spear Phishing based social engineering.
Background: The COMMON Europe Advisory Council (CEAC) members have a broad range of experience in working with small and medium-sized IBM i customers. CEAC has a crucial role in working with IBM i development to help assess the value and impact of individual RFEs on the broader IBM i community and has therefore reviewed your RFE.
To find out how CEAC help to shape the future of IBM i, see CEAC @ ibm.biz/BdYSYj and the article "The Five Hottest IBM i RFEs Of The Quarter" at ibm.biz/BdYSZT
Therese Eaton – CEAC Program Manager, IBM
Hi Rudi,
well - you can use STATUS(*DISABLED) to solve a lot of problems - but that's not really my intention ;-)
It's not a problem for all shops (if they have on Pgmr you can lock down the box easily).
The extreme situation can be viewed on PUB400.COM or other (more or less) public systems with lot of users which are allowed
to do some more than signon, order entry and signoff.
Hello Holger,
I wonder if access to the commands WRKLNK and WRKOBJ is not part of the problem.....
Sorry no answers that is why I wonder ;-)
Nav4i has the same issue if you do not lock it down.
Greetings Rudi
Another well known hack to get a list of users. This hack works because you generally need the ability to send messages to users and thus need access to their message queue. Unless IBM rewrites all the message handling APIs. Which may open another can of worms as one may be intentionally blocked from sending messages to one user (I would have to guess at a scenario but I can imaging some customer doing that somewhere).
WRKOBJ OBJ(QUSRSYS/*ALL) OBJTYPE(*MSGQ)
I'm not seeing the same results on WRKOBJ.
CRTLIB DELETEME
GRTOBJAUT OBJ(DELETEME) OBJTYPE(*LIB) USER(*PUBLIC) AUT(*USE)
CRTPF FILE(DELETEME/PEEKABOO) RCDLEN(10)
CRTPF FILE(DELETEME/HIDEY) RCDLEN(10)
GRTOBJAUT OBJ(DELETEME/*ALL) OBJTYPE(*ALL) USER(*PUBLIC) AUT(*EXCLUDE)
CRTUSRPRF USRPRF(DUMMY) PASSWORD() SPCAUT(*NONE)
Sign on as DUMMY
WRKOBJ DELETEME/*ALL
(Cannot find object to match specified name.)
However this shows it.
WRKLNK '/QSYS.LIB/DELETEME.LIB/*.*'
Object link Type Attribute Text
HIDEY.FILE FILE *NOTAVL *NOTAVL
PEEKABOO.FILE FILE *NOTAVL *NOTAVL