These are security considerations for the root, QOpenSys, and user-defined file systems.
The root, QOpenSys, and user-defined file systems provide a blending of iSeries™ server, PC, and UNIX** capabilities both for object management and for security. When you use the integrated file system commands from an iSeries server session (WRKAUT and CHGAUT), you can set all the normal iSeries server object authorities. This includes the *R, *W, and *X authorities that are compatible with Spec 1170 (UNIX-type operating systems).
The root, QOpenSys, and user-defined file systems are functionally equivalent. The QOpenSys file system is case-sensitive. The root file system is not. User-defined file systems can be defined as case-sensitive. Because these file systems have the same security characteristics, you can assume in the topics that follow that their names are used interchangeably. When you access the root file system as an administrator from a PC session, you can set object attributes that the PC uses to restrict certain types of access:
When a user attempts to access an object in the root file system, OS/400® enforces all of the object authority values and attributes for the object, whether or not those authorities are ″visible″ from the user’s interface. For example, assume that the read-only attribute for an object is set on. A PC user cannot delete the object through a iSeries Access interface. An iSeries server user with a fixed function workstation cannot delete the object either, even if the iSeries server user has *ALLOBJ special authority. Before the object can be deleted, an authorized user must use a PC function to reset the read-only value to off. Similarly, a PC user might not have sufficient OS/400 authority to change the PC-relevant security attributes of an object.
UNIX-type applications that run on iSeries servers use UNIX-like application programming interfaces (APIs) to access data in the root file system. With UNIX-like APIs, applications can recognize and maintain the following security information:
However, these object authorities do exist for all of the objects in the root file system. When you create an object using a UNIX-like API, that object inherits these authorities from the parent directory, resulting in the following:
When you run applications that use UNIX-like APIs, the system enforces all object authorities, whether or not they are ″visible″ to UNIX-type applications. For example, the system will enforce the authority of authorization lists even though the concept of authorization lists does not exist in UNIX-type operating systems.
When you have a mixed-application environment, you need to ensure that you do not make authority changes in one environment that will break your applications in another environment.