Here is your iSeries security tip for January, 2007 from SkyView
Partners, Inc., World Class i5/OS and OS/400 Security Experts.
The issue
More and more of you are having to deal with the issue of securing
objects in the Integrated File System (IFS). Specifically, headaches
are being caused as you attempt to deal with stream files moving into
and out of directories. The use of stream files within a process often
poses challenges because of the authorities with which stream files
are created. Unfortunately, stream files do not inherit authorities
from its directory. Rather, stream files are created with the owner
having data authorities *RWX (the equivalent of *CHANGE) and object
authorities *NONE. Both the primary group and owner’s authority are
set to *EXCLUDE. You have no choice in the matter – this was how i5/OS
was architected to authorize stream files. You also have no choice
about who owns the stream file. Even if you have configured the user
profile attribute that causes newly created objects to be owned by
the user’s group (rather than the user), in the case of objects created
into the IFS, the attribute is ignored. Therefore, the owner is always
the user who created the stream file. This poses tremendous challenges
when one user creates the stream file and another user has to delete
and re- create it or move it to another directory because the second
user doesn’t have sufficient authority.
Options
The first option you might think of is to write a program that adopts
the authority of an *ALLOBJ user and have the program work with the
stream file or at least change the ownership or grant sufficient authority.
Unfortunately, adopted authority is ignored when accessing an object
in the IFS. So the user making the change needs to have sufficient
authority to the object when working with the stream file, changing
the ownership or granting authority. So what are your options?
If you have written the program to create the stream file, the easiest
way around this problem is to follow the creation of the stream file
with an immediate Change Authority (CHGAUT) command. CHGAUT can be
used to change the *PUBLIC authority of the object, grant authority
to a group or secure the stream file with an authorization list so
that other users can work with the stream file.
If stream file creation occurs in a vendor package you probably don’t
have access to the code to be able to insert a CHGAUT. In this case,
you may have to schedule a job that periodically changes the *PUBLIC
authority, grants authority to other users or changes the ownership
of the object. Another solution is to create a never- ending job that
wakes up periodically to grant authority or change ownership. The
solution you choose will depend on how quickly someone has to work
with a stream file that is created by another user.
Using Policy Minder to work with Stream Files
Policy Minder provides a simple solution for ensuring stream files
are owned and authorized appropriately.
From the Policy Minder Main menu, take option 1=Work with Policies,
then option 5 on the *DIRAUT category. Press F6=Create to create a
directory template. On this first screen specify the pathname of the
directory that contains the stream file. If you want to ensure the
directory itself is secured and owned properly, specify the appropriate
values, otherwise, leave the attributes at the default (*ANY).
Scroll down until you come to the Work with Object Templates screen.
Press F6=Create. This template is where you’re going to define how
the stream file is to be owned and authorized. Specify the name of
a specific stream file or specify a generic name such as BankTransfer*
or the value *ALL. You can specify the extension of *STMF or you leave
the extension field blank to apply the policy to all object types
in the directory.
Scroll down. Specify the owner, authorization list, primary group,
*PUBLIC and private authorities the stream file should have. (If an
attribute is not important, just leave the default *ANY.) Once you’ve
specified all of the values you want, keep hitting Enter until you
return to the Directory Authorities screen.
To enable Policy Minder to manage the stream file authorities you
must enable the FixIt function. On the directory template you just
created, select option 15=Enable FixIt. Now, after a compliance check
is run on the directory template, FixIt can be used to set the appropriate
authority and ownership on the stream files.
If it is sufficient to change the ownership and authority of the
stream files once a day, simply schedule a job that runs the CHECK
command and then runs FIXIT. For example:
SKYVIEWPMP/CHECK CAT ((*DIRAUT *STMF)) – this step determines what
stream file security attributes do not match the defined policy.
SKYVIEWPMP/FIXIT CAT ((*DIRAUT *STMF)) – Policy Minder changes the
security attributes of the stream file to match the policy. For example,
if you defined the policy to say that the stream file should be owned
by STMFOWNER profile, FIXIT runs the CHGOWN command and changes the
owner of the stream file.
To change the security attributes more frequently, create a CL program
with these two commands along with the DLYJOB command so that it will
“wake up” and run these commands as often as you require.
Notes: You must run FIXIT with a profile that has sufficient authority
to make the required changes. In addition, changes made using FIXIT
are logged along with the previous value and what profile performed
the operation, so you have a record of operations performed by Policy
Minder.
Want
to know more about SkyView Policy Minder? Join a webinar
