Root, QOpenSys, and user-defined file systems
These are security considerations for the root, QOpenSys, and user-defined file systems.
How authority works
- System
- Hidden
- Archive
- Read-only
When a user attempts to access an object in the root file system, IBM i enforces all of the object authority values and attributes for the object, whether those authorities are visible from the user’s interface. For example, assume that the read-only attribute for an object is set on. A PC user cannot delete the object through a IBM Navigator for i interface. A IBM i user with a fixed function workstation cannot delete the object either, even if the IBM i user has *ALLOBJ special authority. Before the object can be deleted, the read-only attribute value must be set to off by using a PC function, the Change Attributes (CHGATR) command, or the Qp0lSetAttr() -- Set Attributes API. Similarly, a PC user might not have sufficient IBM i authority to change the PC-relevant security attributes of an object.
- Object owner
- Group owner (IBM i primary group authority)
- Read (files)
- Write (change contents)
- Execute (run programs or search directories)
- S_ISVTX mode bit (restricted rename and unlink attribute)
- Read (*R) = *OBJOPR and *READ
- Write (*W) = *OBJOPR, *ADD, *UPD, *DLT
- Execute (*X) = *OBJOPR and *EXECUTE
- The new object’s owner has the same object authority as the parent directory’s owner.
- The new object’s primary group has the same object authority as the parent directory’s primary group.
- The new object’s public has the same object authority as the parent directory’s public.
When you run applications that use UNIX-like APIs, the system enforces all object authorities, whether they are visible to UNIX-type applications. For example, the system will enforce the authority of authorization lists even though the concept of authorization lists does not exist in UNIX-type operating systems.
When you have a mixed-application environment, you need to ensure that you do not make authority changes in one environment that will break your applications in another environment.