curryj
Well Known Member
We are going through a "hardening" of security on our iSeries as a result of an audit. One of the things I'd like to do is restrict users' ability to create new directories in the IFS.
The default permissions on '/' (ROOT) are wide open for *PUBLIC. I phoned IBM support, and they said not to change it as it may have undesirable side effects on our applications.
Then I looked in a Redbook called "eserver iSeries Security Guide", and it says "Consider changing the public authority for the root directory to prevent users from creating objects in that directory. Remove *W, *OBJEXIST, *OBJALTER, *OBJREF, and *OBJMGT authorities. However, you need to evaluate whether this change will cause problems for any of your applications. For example, you might have UNIX-like applications that expect to be able to delete objects from the root directory."
This sounds OK to me. World is hardly UNIX-like, and we don't have any other mission-critical applications, but it's unnerving not to have IBM's support for making the change.
Have any of you other World users ever done anything like this?
Incidentally, we just finished implementing object level security on all our JDE libraries as per SAR # 2662948, and it went very well, touch wood. We got excellent support from JDE on the project.
The default permissions on '/' (ROOT) are wide open for *PUBLIC. I phoned IBM support, and they said not to change it as it may have undesirable side effects on our applications.
Then I looked in a Redbook called "eserver iSeries Security Guide", and it says "Consider changing the public authority for the root directory to prevent users from creating objects in that directory. Remove *W, *OBJEXIST, *OBJALTER, *OBJREF, and *OBJMGT authorities. However, you need to evaluate whether this change will cause problems for any of your applications. For example, you might have UNIX-like applications that expect to be able to delete objects from the root directory."
This sounds OK to me. World is hardly UNIX-like, and we don't have any other mission-critical applications, but it's unnerving not to have IBM's support for making the change.
Have any of you other World users ever done anything like this?
Incidentally, we just finished implementing object level security on all our JDE libraries as per SAR # 2662948, and it went very well, touch wood. We got excellent support from JDE on the project.