ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzalf_5.4.0.1/rzalfsecurity.htm

161 lines
10 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Security" />
<meta name="abstract" content="From a security point of view, i5/OS PASE programs are subject to the same security restrictions as any other program on i5/OS." />
<meta name="description" content="From a security point of view, i5/OS PASE programs are subject to the same security restrictions as any other program on i5/OS." />
<meta name="DC.Relation" scheme="URI" content="rzalfinteract.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahg/rzahgicsecurity.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzalfsecurity" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Security</title>
</head>
<body id="rzalfsecurity"><a name="rzalfsecurity"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Security</h1>
<div><p>From a security point of view, <span class="keyword">i5/OS™</span> PASE
programs are subject to the same security restrictions as any other program
on <span class="keyword">i5/OS</span>.</p>
<p>To run an <span class="keyword">i5/OS</span> PASE
program on <span class="keyword">i5/OS</span>, you must
have authority to the AIX<sup>®</sup> binary in the integrated file system. You must also
have the proper level of authority to each of the resources that your program
accesses, or the program will receive an error when you attempt to access
those resources.</p>
<p>The following information is particularly important when you run <span class="keyword">i5/OS</span> PASE programs.</p>
<div class="section"><h4 class="sectiontitle">User profiles and authority management</h4><p>System authorization management is based on user profiles
that are also objects. All objects created on the system are owned by a specific
user. Each operation or access to an object is verified by the system to ensure
the user's authority. The owner or appropriately authorized user profiles
can delegate various types of authorities to operate on an object to other
user profiles. Authority checking is provided uniformly to all types of objects. </p>
<p>The
object authorization mechanism provides various levels of control. A user's
authority can be limited to exactly what is needed. Files stored in the QOpenSys
file system are authorized in the same manner as UNIX<sup>®</sup> files. The following table shows the
relationship between UNIX permissions and the security values used on <span class="keyword">i5/OS</span> database files. On <span class="keyword">i5/OS</span>, *OBJOPR is <em>Use object</em> authority;
*EXCLUDE is <em>No authority</em>. *READ, *ADD, *UPD, *DLT, and *EXECUTE are
data authorities. You need *EXECUTE authority (and sometimes *READ authority)
to a file to run it as an <span class="keyword">i5/OS</span> PASE
program.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><thead align="left"><tr><th valign="top" width="31.914893617021278%" id="d0e84">UNIX permission</th>
<th valign="top" width="14.893617021276595%" id="d0e88">*OBJOPR</th>
<th valign="top" width="10.638297872340425%" id="d0e90">*READ</th>
<th valign="top" width="8.51063829787234%" id="d0e92">*ADD</th>
<th valign="top" width="8.51063829787234%" id="d0e94">*UPD</th>
<th valign="top" width="8.51063829787234%" id="d0e96">*DLT</th>
<th valign="top" width="17.02127659574468%" id="d0e98">*EXECUTE</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="31.914893617021278%" headers="d0e84 ">r(read)</td>
<td valign="top" width="14.893617021276595%" headers="d0e88 ">X</td>
<td valign="top" width="10.638297872340425%" headers="d0e90 ">X</td>
<td valign="top" width="8.51063829787234%" headers="d0e92 ">-</td>
<td valign="top" width="8.51063829787234%" headers="d0e94 ">-</td>
<td valign="top" width="8.51063829787234%" headers="d0e96 ">-</td>
<td valign="top" width="17.02127659574468%" headers="d0e98 ">-</td>
</tr>
<tr><td valign="top" width="31.914893617021278%" headers="d0e84 ">w(write)</td>
<td valign="top" width="14.893617021276595%" headers="d0e88 ">X</td>
<td valign="top" width="10.638297872340425%" headers="d0e90 ">-</td>
<td valign="top" width="8.51063829787234%" headers="d0e92 ">X</td>
<td valign="top" width="8.51063829787234%" headers="d0e94 ">X</td>
<td valign="top" width="8.51063829787234%" headers="d0e96 ">X</td>
<td valign="top" width="17.02127659574468%" headers="d0e98 ">-</td>
</tr>
<tr><td valign="top" width="31.914893617021278%" headers="d0e84 ">x(execute)</td>
<td valign="top" width="14.893617021276595%" headers="d0e88 ">X</td>
<td valign="top" width="10.638297872340425%" headers="d0e90 ">-</td>
<td valign="top" width="8.51063829787234%" headers="d0e92 ">-</td>
<td valign="top" width="8.51063829787234%" headers="d0e94 ">-</td>
<td valign="top" width="8.51063829787234%" headers="d0e96 ">-</td>
<td valign="top" width="17.02127659574468%" headers="d0e98 ">X</td>
</tr>
<tr><td valign="top" width="31.914893617021278%" headers="d0e84 ">No authority</td>
<td valign="top" width="14.893617021276595%" headers="d0e88 ">-</td>
<td valign="top" width="10.638297872340425%" headers="d0e90 ">-</td>
<td valign="top" width="8.51063829787234%" headers="d0e92 ">-</td>
<td valign="top" width="8.51063829787234%" headers="d0e94 ">-</td>
<td valign="top" width="8.51063829787234%" headers="d0e96 ">-</td>
<td valign="top" width="17.02127659574468%" headers="d0e98 ">-</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section"><h4 class="sectiontitle">User profiles in <span class="keyword">i5/OS</span> PASE</h4><p>On <span class="keyword">i5/OS</span>,
authentication information is stored in individual <em>profiles</em> rather
than in such files as <tt>/etc/passwd</tt>. Users and groups have profiles.
All of these profiles share one namespace, and each profile must have a unique
monocase name. If you pass a lowercase name to the <span class="apiname">getpwnam()</span> or <span class="apiname">getgrnam()</span> API,
the system converts the name strings to the expected case.</p>
<p>If you call <span class="apiname">getpwuid()</span> or <span class="apiname">getgrgid()</span> to
get the profile name returned, it will be in lowercase, unless you set the <span class="keyword">i5/OS</span> PASE environment variable
PASE_USRGRP_LOWERCASE=N, which returns the result in uppercase.</p>
<p>Every
user has a user identification (<tt>UID</tt>). Every group has a group identification
(<tt>GID</tt>). These are defined according to the Portable Operation System
Interface X (POSIX) 1003.1 standard. The two numeric spaces are separate,
so you can have a user with a UID of 104 and a group with a GID of 104 that
are distinct from each other.</p>
<p><span class="keyword">i5/OS</span> has
a user profile for the security officer, QSECOFR, that has a UID of 0. No
other profile can have the UID of 0. QSECOFR is the most privileged profile
on the system and, in that sense, acts as the root user. However, <span class="keyword">i5/OS</span> also provides a set of specific
privileges that can be assigned to individual users by system administrators.
One of these privileges, *ALLOBJ, overrides the discretionary access control
for file access, for example, which is a typical use of root privileges on
operating systems, such as AIX and Linux<sup>®</sup>.</p>
<p>In a ported
application that uses root access, it is probably a better security practice
to create a specific user profile for the <em>application user</em> that can
be given *ALLOBJ authority, therefore avoiding the use of QSECOFR, which has
much more privilege than is needed by the single application. Unlike operation
systems, such as AIX or Linux, <span class="keyword">i5/OS</span> does
not require group membership for users. The GID of 0 for a user profile on <span class="keyword">i5/OS</span> means <em>no group assigned</em> rather
than referring to a group with more privileges.</p>
<p><span class="keyword">i5/OS</span> security
relies on integrated security built into the system. All accesses to objects
must pass a security check. The security check is done with respect to the
user profile for which the process runs at the time of the access.</p>
<p><span class="keyword">i5/OS</span> PASE relies on giving each
process a separate address space to maintain integrity and security. If a
resource is not available in your <span class="keyword">i5/OS</span> PASE
address space, you cannot access it. File system security prevents someone
from loading a resource into their address space without proper authorization.
After it is in the address space, the resource is available to the process
regardless of the identity under which the process is running.</p>
<p>An <span class="keyword">i5/OS</span> PASE program uses system calls
to request system functions. System calls for an <span class="keyword">i5/OS</span> PASE
program are handled by <span class="keyword">i5/OS</span>.
This interface gives <span class="keyword">i5/OS</span> PASE
programs only indirect (and safe) access to system internals.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalfinteract.htm" title="As you customize your i5/OS PASE programs to use i5/OS functions, you need to consider the ways in which your program will interact with them.">How i5/OS PASE programs interact with i5/OS</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzahg/rzahgicsecurity.htm">Security</a></div>
</div>
</div>
</body>
</html>