Re: root authority IFS (pcs again) -- MIDRANGE-L

You don't show any Object Authorities - *PUBLIC access will depend on
what's specified in Object Authorities.

'/' is shipped as *RWX.

None of my 11 partitions have more than *PUBLIC *RWX and all object
authorities, QSYS *RWX and all object authorities, and *QDIRSRV *X and no
object authorities.

A "normal" user needs *RX in order to use '/' but this won't allow them to
create sub-directories in '/'. Depending on the Data Authority in an
existing sub-directory, they may or may not be able to create additional
sub-directories in an existing sub-directory.

If a "normal" user only has *R in '/', they can access their 'home'
directory as defined in the user profile. Their capabilities in their
'home' directory depend on the Data and Object Authorities set there.

Sorry I can't be more helpful - I think I've reached the limits of my IFS
authority knowledge.

There is a PDF of a Carol Woodbury IFS presentation to OCEAN here =>
https://www.oceanusergroup.org/assets/ifssecurityconsiderations.pdf

Thanks,

Steve McKay
(205) 585-8424
samckay1@xxxxxxxxx

On Tue, Oct 8, 2019 at 5:39 PM <iseriesstuff@xxxxxxxxx> wrote:

Wrklnk '/' option 9. Guess the same.

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
Mark Waterbury
Sent: Tuesday, October 8, 2019 5:05 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: root authority IFS (pcs again)

Are you talking about the output of this command?

DSPAUT '/'

On Tuesday, October 8, 2019, 5:03:05 PM EDT, <iseriesstuff@xxxxxxxxx>
wrote:

We currently have root authority set as:

*PUBLIC *RX

QSYS *RWX

QDIRSRV *X

QPGMR *RWX

QTCP *RWX

QUSER *RX

XPOFTP *X

Trying to lock down system (pci stuff). Any recommendations on these
settings?

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com