70 lines
4.7 KiB
HTML
70 lines
4.7 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Public authority to the root directory" />
|
|
<meta name="abstract" content="When your system ships, the public authority to the root directory is *ALL (all object authorities and all data authorities)." />
|
|
<meta name="description" content="When your system ships, the public authority to the root directory is *ALL (all object authorities and all data authorities)." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvifsrootfiles.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="ifsrootdir" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Public authority to the root directory</title>
|
|
</head>
|
|
<body id="ifsrootdir"><a name="ifsrootdir"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Public authority to the <span class="q">"root"</span> directory</h1>
|
|
<div><p>When your system ships, the public authority to the <span class="q">"root"</span> directory
|
|
is *ALL (all object authorities and all data authorities).</p>
|
|
<p>This setting provides flexibility and compatibility with both what UNIX-like
|
|
applications expect and what typical iSeries™ server users expect. An iSeries server
|
|
user with command-line capability can create a new library in
|
|
the QSYS.LIB file system simply by using the CRTLIB command. Normally, authority
|
|
on a typical iSeries server
|
|
allows this. Similarly, with the shipped setting for the root file system,
|
|
a typical user can create a new directory in the root file system (just like
|
|
you can create a new directory on your PC).</p>
|
|
<p>As a security administrator, you must educate your users about adequately
|
|
protecting the objects that they create. When a user creates a library, probably
|
|
the public authority to the library should not be *CHANGE, the default value.
|
|
The user should set public authority either to *USE or to *EXCLUDE, depending
|
|
on the contents of the library.</p>
|
|
<div class="p">If your users need to create new directories in the <span class="q">"root"</span> (/), QOpenSys,
|
|
or user-defined file systems, you have several security options:<ul><li>You can educate your users to override the default authority when they
|
|
create new directories. The default is to inherit authority from the immediate
|
|
parent directory. In the case of a newly created directory in the root directory,
|
|
by default the public authority will be *ALL.</li>
|
|
<li>You can create a master subdirectory under the <span class="q">"root"</span> directory.
|
|
Set the public authority on that master directory to an appropriate setting
|
|
for your organization. Then instruct users to create any new personal directories
|
|
in this master subdirectory. Their new directories will inherit its authority.</li>
|
|
<li>You can consider changing the public authority for the <span class="q">"root"</span> directory
|
|
to prevent users from creating objects in that directory. You would do prevent
|
|
users creating objects by removing *W, *OBJEXIST, *OBJALTER, *OBJREF, and
|
|
*OBJMGT authorities. However, you need to evaluate whether this change will
|
|
cause problems for any of your applications. You might, for example, have
|
|
UNIX-like applications that expect to be able to delete objects from the <span class="q">"root"</span> directory.</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvifsrootfiles.htm" title="These are security considerations for the root, QOpenSys, and user-defined file systems.">Root, QOpenSys, and user-defined file systems</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |