× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. November 2001

Re: IFS security documentation?

Hi Patrick

As others have mentioned - and much to my chagrin also - adopting
authorities is not supported. I also found that the group profile ownership
parameter does not appear supported which is a real b*tch. In my view IBM
could significantly enhance the usefulness and security of the IFS by
supporting these two features, maybe by adding some switches to the
directory....

Another thing that bought me undone was the way authorities to new objects
are assigned to the creator of the object. I found this nugget (presuming I
have interpreted it correctly) after searching the IBM knowledge database
for a couple of days; I only turned up one document relevent to IFS and
authority. I don't have the reference so here's my summary of the contents:

When creating a new file in the IFS, the creator of the file receives the
same authorities to the file as the owner of the directory has to the
directory (yes, read that again !). This behaviour is why not having the
group ownership thing happening is such a pain. For processes that create
lots of processes (remember you don't adopt, and group ownership doesn't
work) a server type process with the right profile is almost mandatory to
have any kind of security.

I found out the hard way that the creator of a file does not automatically
get all rights. Since I routinely delete rights of the owner of an objects
in QSYS from the authority display (in my view they are redundant since
owner gets all rights) I happened to do the same thing to an object in the
IFS, after all the owner will be able to do anything he/she likes, right ?
Wrong... You need to test this and see what happens, but one side effect is
that the owner can't later delete the file.

I realise I'm grouping the *RWX behaviours with the object behaviours but I
don't have access to a machine right at this moment to provide more details.

Basically, we came to the conclusion that the way to go was maintain
authorisation lists and that part of the file creation had to be the
assignment of an authorisation list and any authority duties required.

This is not (in my view at least) all that different from what we do QSYS
although it seems a little foreign. In our case we create files/libraries
with particular owners and we compile programs with

Hope this helps a little.

regards
Evan Harris

>I am struggling to understand IFS file security. I've been using the CHGAUT
>command to add and change user authorities. But it is not working quite like
>I would think. For example, if a program is owned by QSECOFR and adopts user
>authority, it may not have the authority needed to add or change an
>authority on an IFS file. Weird. Does anyone know a good publication that
>describes IFS file security? I understand *RWX UNIX authority concepts, just
>need help with how to manage this stuff from an AS/400 application
>perspective. Any thoughts would be appreciated.
>
>TIA,
>Patrick

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.