ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvifsrootdir.htm

70 lines
4.7 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Public authority to the root directory" />
<meta name="abstract" content="When your system ships, the public authority to the root directory is *ALL (all object authorities and all data authorities)." />
<meta name="description" content="When your system ships, the public authority to the root directory is *ALL (all object authorities and all data authorities)." />
<meta name="DC.Relation" scheme="URI" content="rzamvifsrootfiles.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="ifsrootdir" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Public authority to the root directory</title>
</head>
<body id="ifsrootdir"><a name="ifsrootdir"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Public authority to the <span class="q">"root"</span> directory</h1>
<div><p>When your system ships, the public authority to the <span class="q">"root"</span> directory
is *ALL (all object authorities and all data authorities).</p>
<p>This setting provides flexibility and compatibility with both what UNIX-like
applications expect and what typical iSeries™ server users expect. An iSeries server
user with command-line capability can create a new library in
the QSYS.LIB file system simply by using the CRTLIB command. Normally, authority
on a typical iSeries server
allows this. Similarly, with the shipped setting for the root file system,
a typical user can create a new directory in the root file system (just like
you can create a new directory on your PC).</p>
<p>As a security administrator, you must educate your users about adequately
protecting the objects that they create. When a user creates a library, probably
the public authority to the library should not be *CHANGE, the default value.
The user should set public authority either to *USE or to *EXCLUDE, depending
on the contents of the library.</p>
<div class="p">If your users need to create new directories in the <span class="q">"root"</span> (/), QOpenSys,
or user-defined file systems, you have several security options:<ul><li>You can educate your users to override the default authority when they
create new directories. The default is to inherit authority from the immediate
parent directory. In the case of a newly created directory in the root directory,
by default the public authority will be *ALL.</li>
<li>You can create a master subdirectory under the <span class="q">"root"</span> directory.
Set the public authority on that master directory to an appropriate setting
for your organization. Then instruct users to create any new personal directories
in this master subdirectory. Their new directories will inherit its authority.</li>
<li>You can consider changing the public authority for the <span class="q">"root"</span> directory
to prevent users from creating objects in that directory. You would do prevent
users creating objects by removing *W, *OBJEXIST, *OBJALTER, *OBJREF, and
*OBJMGT authorities. However, you need to evaluate whether this change will
cause problems for any of your applications. You might, for example, have
UNIX-like applications that expect to be able to delete objects from the <span class="q">"root"</span> directory.</li>
</ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvifsrootfiles.htm" title="These are security considerations for the root, QOpenSys, and user-defined file systems.">Root, QOpenSys, and user-defined file systems</a></div>
</div>
</div>
</body>
</html>