Hello Jim,
Am 14.11.2019 um 17:59 schrieb midrangel@xxxxxxxxxxxxxxxxx:
I don't have time at the moment to elaborate but IBM i has more ability to
control access to any object, IFS or QSYS filesystem, than Unix systems do.
(A Mainframe running RACF and its variants, it can secure files extremely
well)
So you put some claim out and if I ask you to proof it, you refuse. Don't get me wrong, I understand your reason perfectly but it's kind of an itch to scratch: Someone somewhen said, i and RACF as mainframe enhancement are more secure than anything else. But the world has changed a lot and so I challenge such "it was ever since"-like statements. :-)
Besides that, I didn't see anything helpful in IFS besides standard POSIX rights regarding files there. I also admit that I never dug deeper into that topic and also I should be fair and try this with recent versions of i.
Linux and other Unices know about ACLs above the standard POSIX rights for years, and with the Advent of SELinux, AppArmor and grsecurity there's even more fine grained access restrictions to be implemented at will. The first two implement mandatory access control rules for file accesses while grsecurity implements (also) fine-grained role-based access control.
SELinux is mostly used by RedHat and as far as I know enabled by default in permissive mode. AppArmor is a Canonical (Ubuntu) thing, I don't know much about.
If you look you have object management plus object access attributes on IBM i.
Yes, that's true. To be seen in wrklnk, Option 9. Thanks for this pointer, will play with that a bit to see what can be done and what should better be left alone. :-)
Unix has file access and a switch to determine if it's a data file or executable.
Once that was like that, yes. And, astoninglishy, over my many years of service for different companies and customers, I never needed more than a clever directory hierarchy and those simple rights to implement file servers for small to large user bases.
Netware and Windows Servers also utilize inheritable ACLs but from what I've seen in the wild, it's mostly overkill, many so-called-admins don't understand them and use other means to prohibit access.
Then there's the access auditing thing too.
Also that's implemented at least in SELinux. I didn't check he other solutions yet.
RACF may be superior because I somewhere have read that this allows granularity down to column-level in database files. I never checked myself if this is true, though.
:wq! PoC
PGP-Key: DDD3 4ABF 6413 38DE -
https://www.pocnet.net/poc-key.asc
As an Amazon Associate we earn from qualifying purchases.