Public authority to the root directory

When your system ships, the public authority to the root directory is *ALL for all object authorities and all data authorities.

This setting provides flexibility and compatibility with both what UNIX-like applications expect and what typical IBM i users expect. An IBM i user with command-line capability can create a new library in the QSYS.LIB file system by using the CRTLIB command. Normally, authority on a typical IBM i platform allows this. Similarly, with the shipped setting for the root file system, a typical user can create a new directory in the root file system, just like you can create a new directory on your PC.

As a security administrator, you must educate your users about adequately protecting the objects that they create. When a user creates a library, probably the public authority to the library should not be the default value, *CHANGE. The user should set public authority either to *USE or to *EXCLUDE, depending on the contents of the library.

If your users need to create new directories in the root (/), QOpenSys, or user-defined file systems, you have several security options:
  • You can educate your users to override the default authority when they create new directories. The default is to inherit authority from the immediate parent directory. In the case of a newly created directory in the root directory, by default the public authority will be *ALL.
  • You can create a primary subdirectory under the root directory. Set the public authority on that primary directory to an appropriate setting for your organization. Then instruct users to create any new personal directories in this primary subdirectory. Their new directories will inherit its authority.
  • You can consider changing the public authority for the root directory to prevent users from creating objects in that directory. You can prevent users creating objects by removing *W, *OBJEXIST, *OBJALTER, *OBJREF, and *OBJMGT authorities. However, you need to evaluate whether this change will cause problems for any of your applications. You might, for example, have UNIX-like applications that expect to be able to delete objects from the root directory.