Public authority to the root directory

When your system ships, the public authority to the "root" directory is *ALL (all object authorities and all data authorities).

This setting provides flexibility and compatibility with both what UNIX-like applications expect and what typical iSeries™ server users expect. An iSeries server user with command-line capability can create a new library in the QSYS.LIB file system simply by using the CRTLIB command. Normally, authority on a typical iSeries server allows this. Similarly, with the shipped setting for the root file system, a typical user can create a new directory in the root file system (just like you can create a new directory on your PC).

As a security administrator, educate your users about adequately protecting the objects that they create. When a user creates a library, probably the public authority to the library should not be *CHANGE, the default value. The user should set public authority either to *USE or to *EXCLUDE, depending on the contents of the library.

If your users need to create new directories in the "root" (/), QOpenSys, or user-defined file systems, you have several security options:

• You can educate your users to override the default authority when they create new directories. The default is to inherit authority from the immediate parent directory. In the case of a newly created directory in the root directory, by default the public authority will be *ALL.

• You can create a master subdirectory under the "root" directory. Set the public authority on that master directory to an appropriate setting for your organization. Then instruct users to create any new personal directories in this master subdirectory. Their new directories will inherit its authority.

• You can consider changing the public authority for the "root" directory to prevent users from creating objects in that directory. You would do prevent users creating objects by removing *W, *OBJEXIST, *OBJALTER, *OBJREF, and *OBJMGT authorities. However, you need to evaluate whether this change will cause problems for any of your applications. You might, for example, have UNIX-like applications that expect to be able to delete objects from the "root" directory.

Parent topic: