Skip to content

Instantly share code, notes, and snippets.

@forstie

forstie/Protect the IFS root for *PUBLIC

Created February 8, 2021 19:48
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save forstie/bce185329f3587346cc69f33fb7c5ffe to your computer and use it in GitHub Desktop.
Save forstie/bce185329f3587346cc69f33fb7c5ffe to your computer and use it in GitHub Desktop.
Download ZIP
When an IFS directory includes W (write), you are exposed to malware attacks. Use this to review and overcome this topic for the all important ROOT directory.
Raw
Protect the IFS root for *PUBLIC
--
-- When an IFS directory includes W (write), you are exposed to malware attacks
-- Use this to review and overcome this topic for the all important ROOT directory
--
-- For help on this or related security topics, contact Robert and team...
-- http://ibm.biz/IBMiSecurity
-- Robert Andrews - robert.andrews@us.ibm.com
--
stop;
--
-- Is the IFS root open to attack?
--
select data_authority,
regexp_replace(data_authority, 'W', '') as remove_write
from table (
qsys2.ifs_object_privileges('/')
)
where authorization_name = '*PUBLIC';
stop;
--
-- Protect the IFS root from attack
-- (this will remove the W from (*PUBLIC)
--
begin
declare remove_write varchar(5) for sbcs data;
declare Public_Write_Count integer;
select count(*)
into Public_Write_Count
from table (
qsys2.ifs_object_privileges('/')
)
where authorization_name = '*PUBLIC' and
data_authority like '%W%';
if (Public_Write_Count = 1) then
select regexp_replace(data_authority, 'W', '')
into remove_write
from table (
qsys2.ifs_object_privileges('/')
)
where authorization_name = '*PUBLIC';
call qsys2.qcmdexc('QSYS/CHGAUT OBJ(''/'') USER(*PUBLIC) DTAAUT(''' concat
remove_write concat ''') ');
end if;
end;
@NielsLiisberg
Copy link

Just love you are using lowercase (lover case) for you gists - so much more readable. Spread the word and hoist it to standard :)

ps love this gist :)

@forstie
Copy link
Author

forstie commented Feb 8, 2021

new years 2021, and i'm trying not to yell as much in my sql. made it to february!

@dlarsencbk
Copy link

You need to have 5770SS1 option 39 International Components for Unicode installed to run this code. Otherwise the code fails.
Install option 39 thru GO LICPGM, option 11. This will create a library QICU. If option 39 is not installed, and you are running this code with ACS-Run SQL Scripts - you will get an error that says something like QQQSVREG *SRVPGM in QSYS does not exist (even when it is there). If you run the script in the green screen, it will fail. exit sql back to a command line and display the job log. It will say the QICU does not exist, giving you the clue to install Option 39 to create lib QICU (International Components for Unicode). See https://www.ibm.com/docs/en/i/7.2?topic=category-international-components-unicode-apis

@forstie
Copy link
Author

forstie commented May 19, 2021

Yes, regexp_replace() is the piece that requires option 39.

This query can be used to understand if this pre-req is satisfied.

select *
from QSYS2.SOFTWARE_PRODUCT_INFO
where product_option = '39';

@EdgardoEhiyan
Copy link

Hi Scot, this SQL statement also work to protect the root (public) from Ransomware attacks or only malware?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment