× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. June 2024

Re: Simulating adopted authority with IFS

Hi Rob,

I explain the IFS configuration:

1. All directories USER(*PUBLIC) DTAAUT(*EXCLUDE) OBJATU(*NONE)
2. For all directories, Application group profile (GRPAPP) as Primary Group
(PGP) and authorities *ALL.
3. All files, application group profile as Primary Group (PGP = GRPAPP) and
authorities *ALL
4. Anyone can own the object
5. Login with a user without authorizations
6. Effective group profile of then job is changed with qsysetegid() to
GRPAPP profile.

With this context, if I use the CHDIR command to move through the directory
tree, it works.But if I try to open a file with EDTF or DSPF command, don't
work.

However, QSH('cd /dir1/dir2; cat file') works.

In other tested configurations, I do not use the primary group of the
directories and replace them by the owner. Same results.

I check qsysetegid() errors. At the moment it does not fail with the groups
tested.

The application group profile (GRPAPP) is not a member of other group. The
user is not a member of GRPAPP.

I think SFTP testing can be a bit more complex. I will first try to get the
CL or QSH/PASE commands to work.

Thank you Rob for your help.

Javier Mora


El mar, 4 jun 2024 a las 6:40, Rob W via MIDRANGE-L (<
midrange-l@xxxxxxxxxxxxxxxxxx>) escribió:

Javier,

You said “After change of effective group, it seems that a user without
permissions can use IFS objects. But this does not always happen.”

Can you expand on what scenarios the user does not gain authority?

Is the qsysetegid() API failing for select users?

Remember a Group Profile cannot be a member of a Group. For a profile
that fails, is that users profile a Group Profile? Check if there is a GID
on a failing user profile.

Also note the following statement that is part of Flowchart 6 of the
Authority checking process in the security reference manual.

“Note: If the user is signed on as the profile that is the primary group
for an object, the user cannot receive authority to the object through the
primary group.” (this seems unlikely)

Is auditing active on your system? Look at the Audit Logs to see if any
authority failures are being logged.

As for SFTP, remember it is going to look for the user’s private key and
known_hosts file in the .ssh directory under the user’s home directory. You
can use the following sftp command to tell the system where to locate the
files.
sftp -vvv -i /home/user/.ssh/id_rsa -o
UserKnownHostsFile=/home/user/.ssh/known_hosts remoteuser@server

Rob W
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.