RE: IFS Directory Authority

These are work files that contain web service responses. They are used by batch applications that run from scheduled jobs, or a single-threaded jobq.
I don't have to worry about locking and such... but we DO change users as responsibilities change. I don't want to worry about authority on XML files that have zero use once the job is finished. I like to leave them intact in case I need to look at something.

All I'm trying to do is prevent a user from accidentally moving or deleting a directory on the IFS (which is what happened here)
Our exit point security software is in logging mode for IFS - so I was able to identify exactly who and when this directory (and subdirectories) were deleted.
The user was browsing the directory and recalled dropping her headset on the keyboard. It must have hit the delete key AND THEN the enter key.
She recalls the moment it happened, but didn't think any action took place.

I have more than one directory that is used in this same fashion... I'd like to protect it from accidental deletion without hindering usage.

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Rob Berendt
Sent: Monday, March 20, 2023 4:16 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: IFS Directory Authority

If you're going to overwrite you need to rethink that attribute.
You either stop overwriting by generating unique file names, or figure out
a way to safely overwrite. If both users create a file called output.txt
then you're going to have to guarantee that job only runs once per day and
clear that up. Or figure out an appropriate locking and waiting scheme.
Common techniques for uniqueness include incorporating the fully qualified
job name, UUID, GUID, timestamp (with extended microseconds), etc.

On Mon, Mar 20, 2023 at 2:56 PM Greg Wilburn <
gwilburn@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

This is interesting... So *RSTDRNMUNL only applies to directories.

My issue is that an IFS filename may be "reused" or "overwritten" by more
than one user. So today, the owner might be JOHNNY but tomorrow the owner
might be JANE.
Within the same job, I will often run "cleanup" program for a subdirectory
that deletes all files older than 60 days.

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Rob
Berendt
Sent: Monday, March 20, 2023 12:46 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: IFS Directory Authority

You mean something like this?
CHGATR OBJ('/mydir') ATR(*RSTDRNMUNL) VALUE(*YES)
IBM used to change '/tmp' at each IPL to this until we stormed the gates.
The reason that stank was the user app would write a file to it for use by
IBM's email APIs. Then it would pass control over to the other programs
like QMSF and the smtp jobs and they could not delete the file since they
were not the owner and didn't have *ALLOBJ.
Just make sure you won't run into similar issues.

On Fri, Mar 17, 2023 at 3:23 PM Greg Wilburn <
gwilburn@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

I would like to set the authority on a directory so that no one can move,
delete, or rename the directory itself (except owner and QSECOFR).
However, all users need to be able to run programs that read, write
(create), and delete objects INSIDE the directory.

My programs use this directory for storing temporary files (XML, JSON,
TXT, etc.) while consuming web services, downloading files, etc.
One of those directories "went missing" earlier this week - someone
accidentally deleted it or otherwise moved it.

I looked through the archives, but didn't really find much...

TIA,
Greg
[Logo]<https://www.totalbizfulfillment.com/> Greg Wilburn
Director of IT
301.895.3792 ext. 1231
301.895.3895 direct
gwilburn@xxxxxxxxxxxxxxxxxxxxxxx<mailto:gwilburn@xxxxxxxxxxxxxxxxxxxxxxx

1 Corporate Dr
Grantsville, MD 21536
www.totalbizfulfillment.com<http://www.totalbizfulfillment.com>
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.