Here is your i5/OS Security Tip for January, 2007 from SkyView Partners, Inc., World Class i5/OS & OS/400 Security Experts.

The issue
More and more of you are having to deal with the issue of securing objects in the Integrated File System (IFS). Specifically, headaches are being caused as you attempt to deal with stream files moving into and out of directories. The use of stream files within a process often poses challenges because of the authorities with which stream files are created. Unfortunately, stream files do not inherit authorities from its directory. Rather, stream files are created with the owner having data authorities *RWX (the equivalent of *CHANGE) and object authorities *NONE. Both the primary group and owner’s authority are set to *EXCLUDE. You have no choice in the matter – this was how i5/OS was architected to authorize stream files. You also have no choice about who owns the stream file. Even if you have configured the user profile attribute that causes newly created objects to be owned by the user’s group (rather than the user), in the case of objects created into the IFS, the attribute is ignored. Therefore, the owner is always the user who created the stream file. This poses tremendous challenges when one user creates the stream file and another user has to delete and re- create it or move it to another directory because the second user doesn’t have sufficient authority.

Options
The first option you might think of is to write a program that adopts the authority of an *ALLOBJ user and have the program work with the stream file or at least change the ownership or grant sufficient authority. Unfortunately, adopted authority is ignored when accessing an object in the IFS. So the user making the change needs to have sufficient authority to the object when working with the stream file, changing the ownership or granting authority. So what are your options?

If you have written the program to create the stream file, the easiest way around this problem is to follow the creation of the stream file with an immediate Change Authority (CHGAUT) command. CHGAUT can be used to change the *PUBLIC authority of the object, grant authority to a group or secure the stream file with an authorization list so that other users can work with the stream file.

If stream file creation occurs in a vendor package you probably don’t have access to the code to be able to insert a CHGAUT. In this case, you may have to schedule a job that periodically changes the *PUBLIC authority, grants authority to other users or changes the ownership of the object. Another solution is to create a never- ending job that wakes up periodically to grant authority or change ownership. The solution you choose will depend on how quickly someone has to work with a stream file that is created by another user.

Using Policy Minder to work with Stream Files
Policy Minder provides a simple solution for ensuring stream files are owned and authorized appropriately.

From the Policy Minder Main menu, take option 1=Work with Policies, then option 5 on the *DIRAUT category. Press F6=Create to create a directory template. On this first screen specify the pathname of the directory that contains the stream file. If you want to ensure the directory itself is secured and owned properly, specify the appropriate values, otherwise, leave the attributes at the default (*ANY).

Scroll down until you come to the Work with Object Templates screen. Press F6=Create. This template is where you’re going to define how the stream file is to be owned and authorized. Specify the name of a specific stream file or specify a generic name such as BankTransfer* or the value *ALL. You can specify the extension of *STMF or you leave the extension field blank to apply the policy to all object types in the directory.

Scroll down. Specify the owner, authorization list, primary group, *PUBLIC and private authorities the stream file should have. (If an attribute is not important, just leave the default *ANY.) Once you’ve specified all of the values you want, keep hitting Enter until you return to the Directory Authorities screen.

To enable Policy Minder to manage the stream file authorities you must enable the FixIt function. On the directory template you just created, select option 15=Enable FixIt. Now, after a compliance check is run on the directory template, FixIt can be used to set the appropriate authority and ownership on the stream files.

If it is sufficient to change the ownership and authority of the stream files once a day, simply schedule a job that runs the CHECK command and then runs FIXIT. For example:

SKYVIEWPMP/CHECK CAT ((*DIRAUT *STMF)) – this step determines what stream file security attributes do not match the defined policy.

SKYVIEWPMP/FIXIT CAT ((*DIRAUT *STMF)) – Policy Minder changes the security attributes of the stream file to match the policy. For example, if you defined the policy to say that the stream file should be owned by STMFOWNER profile, FIXIT runs the CHGOWN command and changes the owner of the stream file.

To change the security attributes more frequently, create a CL program with these two commands along with the DLYJOB command so that it will “wake up” and run these commands as often as you require.

Notes: You must run FIXIT with a profile that has sufficient authority to make the required changes. In addition, changes made using FIXIT are logged along with the previous value and what profile performed the operation, so you have a record of operations performed by Policy Minder.

Want to know more about SkyView Policy Minder? Join a free Webinar.

Carol Woodbury's
Policy Minder for i5/OS & OS/400:
is an i5/OS & OS/400 security compliance management tool.
See Video Introduction to SkyView Policy Minder (4:22)

With Policy Minder, you take the time out of managing and fixing the implementation details of your security policy, as well as taking the guesswork out of your security compliance status.

Sincerely,