Re: Doubts on permissions of files created in the IFS

Le 13/04/2023 à 12:28, Fabio Mascelloni a écrit :

Il 12/04/2023 16:38, Jim Oberholtzer ha scritto:
> That behavior is exactly what I would expect.  Since USER1 has a specific
> authority (in this case OBJAUT(*NONE) that overrides the *PUBLIC authority.
> Your solution is what's needed.
>
> Adopted authority does not work as expected with the IFS, so the best
> solution is the one you are using, or, change the parent directory since
> the child directory is inheriting some of the security aspects. Presuming
> that to no be reasonable, then you are back to the grant/remove process.
>
> --
> Jim Oberholtzer
> Chief Technical Architect
> Agile Technology Architects

Thanks Jim, that's clear to me.

What is not clear to me is why the system creates an entry for 'USER1' without even giving it all the permissions.

You may want to check this document. It might provide you an explanation. https://www.ibm.com/support/pages/integrated-file-system-authority-considerations

-------quote-------

Initial object authorities are assigned to a new file or directory based on the authority values of the parent directory. The rules involved with this are as follows:

a. The owner for the new object has the same object authorities the owner of the parent directory to the parent directory.
b. The primary group for the new object the same object authorities the primary group of the parent directory to the parent directory.
c. *PUBLIC has the same object authorities to the new object that it has to the parent directory.

These rules apply even when the owner of the parent directory and the newly created object are not the same, and even when the owner of the new object has separate private authority to the parent directory.

-------quote-------

He is the owner after all.

Paradoxically another user can do what the owner cannot (i.e.delete the file).

Fabio.