Resolving The Problem

Limiting Access to QSYS.LIB File System

Integrated File System Overview

Note: The following information is offered on an as is basis. IBM Support Line can assist in clarifying the use or documentation of any of the commands discussed below. Recommendations and assistance on how to best secure user data on a particular system can be obtained from a consulting agreement. This document includes instructions for altering the security configuration on the system. Before making any changes to your system, carefully review and test the proposed changes.

The Integrated File System is a part of the IBM i operating system that supports stream input/output and storage management (similar to personal computer and UNIX operating systems) while providing an integrating structure over all information stored in the IBM i system. This allows for support of stream files, a hierarchical directory structure, and provides a common interface that allows users and applications to access database files, documents, and other objects stored on the system. The Integrated File System encompasses several File Systems, each of which has its own set of logical structures and rules for accessing objects (stream files, database file, documents, and so on) within that file system.

One of these file systems (QSYS.LIB) provides access to the database files and all of the other OS/400 object types that are managed by library support. This is a concern for some system administrators who do not wish to allow their users access to this information. This document attempts to outline some possible security exposures and to alleviate other concerns with the QSYS.LIB file system. It is in no way intended to be a complete and comprehensive reference on the operating system security. Before we look at how to properly restrict a user's access to this file system, we must first take a look at how security is handled and what QSYS.LIB does and does not support:

File Handling Restrictions

QSYS.LIB is primarily a file system for relational database files. For additional information, refer to IBM Technote N1010226 Definition of a Relational Database, which describes what a relational database file is. Although not optimized for stream or flat file types (the root of Integrated File System offers the best performance and functionality for this file type), it does offer limited support via two special file types: program described files and source physical files. IBM i NetServer mapped drives are primarily intended to allow access to stream files similar to those used by PC applications. Because of the differences in the structure of the files and the way they are stored, there are several limitations in accessing files in QSYS.LIB via network drives. For full functionality, consider using a data aware application such as an ODBC-based PC application or IBM i Access for Windows Data Transfer.

Accessing objects in QSYS.LIB via the Integrated File System

When accessing an object in QSYS.LIB file system by using Integrated File System commands or the file server program (used by System i Navigator), one must use the proper naming conventions. Libraries and files are treated as directories with a *.LIB and *.FILE extension respectively, and members as files of type *.MBR. For example, to access a file in library TEST, you must specify /QSYS.LIB/TEST.LIB/FILENAME.FILE as the path to the file. To use the SAV command to save a library to tape device TAP01, you would use the command: SAV DEV('/qsys.lib/tap01.devd') OBJ(('/qsys.lib/test.lib')). When using NetServer, you would use a backslash ('\') rather than a forward slash ('/')

Security

User access to an object is determined by the same method whether the object is accessed by an Integrated File System command or a native OS/400 command. Object access is determined by the operating system object authorities of the object and the privileges granted to the user profile. If a user has *EXCLUDE authority to library TEST, they are not able to access the directory TEST.LIB or any of the files or objects within that library. See the IBM i Information Center (710 version) Security Reference information , or review the IBM i Security - Reference manual, SC41-5302-11 for additional details on Security.


Why Is This a Problem?

Some system administrators indirectly restrict access to database files and other objects by limiting the user's access to a command line rather then the objects themselves. Every server program on the iSeries family system offers a way to bypass this 5250 emulation command line restriction. This can pose a problem on such systems.

How Do We Get Around This?

Can the authority to QSYS.LIB (using the CHGAUT command for Integrated File System) be changed to *NONE for *PUBLIC? The answer is no. All users of the system must have at least *USE access to QSYS.LIB or they are not able to sign on. Restricting access to QSYS.LIB would also restrict access for that user to ALL other objects on the IBM i. This would have the effect of rendering the user profile useless. Changing the authority to QSYS.LIB to *WX could also have severe ramifications for the user's ability to sign on. The following options work well for most environments:

Any of the above methods should prove adequate for limiting the ability of a user to browse QSYS.LIB.

For information on security considerations when using IBM i Access data access functions, refer to the InfoCenter and to IBM Technote N1018280 iSeries Access ODBC, JDBC, OLE DB, and .NET Security Issues. Sign in with your IBM credentials to view this document.

Additional Note - added for searchability:

The name i5/OS NetServer may be used interchangeably with IBM i NetServer, System i NetServer, iSeries NetServer, OS/400 NetServer, or (older) AS/400 NetServer or AS400 NetServer.