Mike Wills wrote: >What will happen to all our shares and such if I change root to be *public >to *exclude? I don't want to change it then break everything on the system. >A couple of our applications already use the IFS. Does it just change the >root authority and doesn't change access for anything else? I agree with John. In the V4R4 Security - Enabling for C2 book one of the setup directions was to change root and several other directories to have public DTAAUT(*RX) and OBJAUT(*NONE) authority instead of *RWX and/or some object authorities. That section of the book also said: "In addition, you will need to set up operational procedures for creating new directories. The typical user will not have sufficient authority to create a new directory because creating an object requires *W authority to the parent directory. Also, if your applications use UNIX-like APIs, the authority checking might not behave according to UNIX-like rules after you make the changes described. You will need to review the authority requirements for your UNIX-like applications." "When a user needs a private directory, an administrator should use the CRTDIR command to create the directory in the /home subdirectory. On the CRTDIR command, specify DTAAUT(*EXCLUDE) and OBJECT(*NONE). Also, use the CHGOWN command to transfer ownership from the administrator to the user who needs the directory. When you transfer ownership, the system automatically gives the new owner all authorities to the directory." On a C2 system, the only directory allowed to have public *RWX authority was the '/tmp' directory. The purpose of this directory is for work files. Applications that need to keep their work files private should follow this suggestion, also from the C2 book: "When an application needs to create a new object (stream file) in the /tmp directory, the stream file should be opened with an option that allows non-shared use of the file. This creates the stream file. Immediately after opening the stream file, delete or unlink the stream file. This removes it from the /tmp directory. When the application is finished with the stream file, close it. This removes it from the system and makes the disk space available for other use." Ed Fishel, edfishel@xxxxxxxxxx
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.