Changing PUBLIC authority on ROOT directory in IFS

[curryj]

We are going through a "hardening" of security on our iSeries as a result of an audit. One of the things I'd like to do is restrict users' ability to create new directories in the IFS.

The default permissions on '/' (ROOT) are wide open for *PUBLIC. I phoned IBM support, and they said not to change it as it may have undesirable side effects on our applications.

Then I looked in a Redbook called "eserver iSeries Security Guide", and it says "Consider changing the public authority for the root directory to prevent users from creating objects in that directory. Remove *W, *OBJEXIST, *OBJALTER, *OBJREF, and *OBJMGT authorities. However, you need to evaluate whether this change will cause problems for any of your applications. For example, you might have UNIX-like applications that expect to be able to delete objects from the root directory."

This sounds OK to me. World is hardly UNIX-like, and we don't have any other mission-critical applications, but it's unnerving not to have IBM's support for making the change.

Have any of you other World users ever done anything like this?


Incidentally, we just finished implementing object level security on all our JDE libraries as per SAR # 2662948, and it went very well, touch wood. We got excellent support from JDE on the project.

 

[Kurt Wagner]

I would agree with IBM that this can be dangerous. If you have your test environment on a separate iSeries box, then I would do it there first. I have done this for a similar reason a while ago and things stopped working. I would look at what you have running other than JDE first. For instance, we also used the machine as a web server to take orders for JDE and that stopped working. The company's e-mail ran on the AS/400 which stopped working. Some other networking issues also occurred. I think they were resolveable by giving certain user profiles authority, but I did not pursue it very far. Instead, I changed root authority back and took a different approach to lock down the authority on other directories.
Also, if you have net server running, don't share the root folder so it's accessible from Windows Explorer. If it is not shared, how are users creating directories there? By the command line? Do you allow command access to people other than developers and OS400 admins? It would be better to lock down other avenues than changing the root directory.

 

[curryj]

Thanks for your helpful response. The root folder isn't shared, but all of our iSeries users who connect via PC have Operations Navigator installed as part of the iSeries Access application. I hate to take it away from them, because there's useful functionality available there, like dragging spool files to Windows Explorer to convert them to text files, and converting spool files to PDF, to name a couple of things.
Any of these users with a little knowledge and curiosity could create directories under root, delete unprotected ones, put their own files in there - heck, they could create a share for root, I think. Seems too wide open to me.
We don't have a separate test box. We don't use the iSeries for e-mail or external web serving. Based on your comments, if I proceed at all it will be cautiously, on a weekend, changing the permissions and then seeing if I can find anything that doesn't work. We use the IBM Survey Creator application inrternally, for example, and I can check to see if that still works.
Thanks again for your help.