Here is an IBM page that discusses the read-only attribute.
https://www.ibm.com/docs/en/i/7.5?topic=security-root-qopensys-user-defined-
file-systems
It also lists how the UNIX permissions (*R,*W,*X) map to IBM authorities.
So whether you set the permission using the UNIX chmod using bits or the IBM
CHGAUT command using *R,*W,*X it makes no difference to the authority
checking process.
There is one situation where the UNIX "ls" command will display information
not available using the native DSPAUT command and that is Primary Group
Authority. UNIX lets you set the Primary Group Permission even when there
is no Primary Group assigned to the object.
Hidden Group Permission example.
Assign the owner and group *RW permissions.
chmod 660 /home/testuser/.ssh/authorized_keys
list the permissions using the UNIX LS command. (it shows the group
permissions)
ls -la /home/testuser/.ssh/authorized_keys
-rw-rw---- 1 testuser 0 835 Apr 2 13:11 /home/testuser/.ssh/authorized_keys
Then check the permissions with the DSPAUT command. (group permissions are
not shown)
dspaut '/home/testuser/.ssh/authorized_keys'
Object . . . . . . . . . . . . : /home/testuser/.ssh/authorized_keys
Type . . . . . . . . . . . . . : STMF
Owner . . . . . . . . . . . . : TESTUSER
Primary group . . . . . . . . : *NONE
Data --Object Authorities--
Opt User Authority Exist Mgt Alter Ref
*PUBLIC *EXCLUDE
TESTUSER *RW X X X X
So, the UNIX ls command shows the group profile has permissions to the
authorized_keys file even though the native DSPAUT command says there is no
Group assigned the STMF.
You can remove the hidden group permissions with the following command.
CHGPGP OBJ('/home/testuser/.ssh/authorized_keys') NEWPGP(*NONE)
DTAAUT(*NONE) OBJAUT(*NONE)
Having group authorities assigned to IFS object where no group profile is
assigned can cause problems.
One example is with SSH and the authorized_keys file.
Assume there is "no Group Profile assigned" to the authorized_keys file but
you issue a chmod 660 to the authorized_keys. Then you try to connect using
ssh. It will fail.
You will see the following message in syslog.
Authentication refused: bad ownership or modes for file
/home/testuser/.ssh/authorized_keys
Issue a chmod 600 authorized_keys and the ssh connection works.
I have seen this group profile/permission issue cause problems on jobs other
than ssh although it is rare.
As an Amazon Associate we earn from qualifying purchases.