CHKIFSE -- Check IFS Object

CHKIFSE CHECK IFS ENTRY TAAIFSO
The Check IFS Entry command checks for object existence and/or verifies the user's authority to an object in the IFS. If the object exists and the user has the correct authority to the object, the command completes normally. The CHKIFSE command is similar to the system CHKOBJ command, but does not check for program or group adopt (IFS restriction). A typical CHK command would be: CHKIFSE OBJ('/home/myhome/mydoc.doc') AUT(NONE) or CHKIFSE OBJ('/home/myhome/mydoc.doc') AUT(CHANGE) If the object exists and the AUT parameter is satisfied (either by NONE or the user has the specified authority), the command completes normally (no message is sent). If the object is not found, an escape message sent. If the object is found, but the AUT parameter is not satisfied, an escape message is sent. Security discussion ------------------- IFS authority checking follows a different model than checking of objects in libraries. Program adoption and group adopting are not included. In order to determine the authority to an IFS object, a sub-function (TAA RTVIFSEAUT command) uses an API that requires the user to have OBJMGT rights to the object. Since most users do not have this right, it is necessary to use the 'program adopt' function to determine the users authority. The 'program adopt' function does not operate when using an IFS path name. However, using program adopt allows the program to swap the current profile for QSECOFR during the running of the command and then swap back to the original using profile when the command completes. Swapping occurs by the use of an API. The original user name is searched for in the list of authorities (not the swapped QSECOFR profile name). The swapping of profiles allows a determination of the users authority to the object, but creates a problem in that the user could use system request to 'end request' during the running of the command and henceforth operate as QSECOFR. This is avoided by making the CL program a 'request processor' and monitoring for 'end request'. If 'end request' occurs, the swap of profiles occurs back to the original profile. CHKIFSE escape messages you can monitor for ------------------------------------------- CPFA0A9 Object not found. CPF9898 General escape message. An unrecognized error was returned from the API to retrieve attributes for the IFS entry. Please check the joblog for more information on the error. TAA9891 Not authorized to object. Command parameters CMD ------------------ OBJ Specify the path name of the object to be checked. The object path name can be either a simple name or a name that is qualified with the name of the directory in which the object is located. A /QSYS.LIB object can be checked. AUT Specifies the authorities to be checked for this user. The default is NONE. Authority checking using the IFS differs from authority checking of objects in libraries such as done by the system CHKOBJ command. The difference is that no Program or Group adopt functions are considered. The possible values are as follows and have the same meaning as on the system CHKOBJ command plus the PC oriented values such as RWX: NONE ALL CHANGE USE EXCLUDE OBJALTER OBJEXIST OBJMGT OBJOPR OBJREF ADD DLT EXECUTE READ UPD RWX - Read, write (add, upd, dlt), and execute RW - Read, write (add, upd, dlt) WX - Write (add, upd, dlt), execute R - Read W - Write (add, upd, dlt) X - Execute USRPRF The user profile that will be switched to during run time. QSECOFR is the default. For file systems (such as QNTC), CHKIFSE will fail if QSECOFR does not exist. CURRENT may be used or a specific user profile, but the profile must have ALLOBJ special authority. Restrictions ------------ None, the tool is ready to use. Prerequisites ------------- The following TAA Tools must be on your system: EXTLST Extract list RTVIFSEAUT Retrieve IFS entry authority RTVSPCAUT Retrieve special authority SNDESCMSG Send escape message Implementation -------------- None, the tool is ready to use. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- CHKIFSE CMD TAAIFSO QATTCMD TAAIFSOC PGM CLP TAAIFSOC QATTCL

CHKIFSE              CHECK IFS ENTRY                   TAAIFSO


The  Check  IFS  Entry  command  checks  for  object  existence  and/or
verifies the user's  authority to an object in the  IFS.  If the object
exists  and  the user  has  the correct  authority  to the  object, the
command completes  normally.   The CHKIFSE  command is  similar to  the
system CHKOBJ  command, but does not  check for program  or group adopt
(IFS restriction).

A typical CHK command would be:

     CHKIFSE OBJ('/home/myhome/mydoc.doc') AUT(*NONE)

         or

     CHKIFSE OBJ('/home/myhome/mydoc.doc') AUT(*CHANGE)

If  the object  exists and  the AUT parameter  is satisfied  (either by
*NONE or the user has  the specified authority), the command  completes
normally (no message is sent).

If the object is not found, an escape message sent.

If the  object is  found, but  the AUT parameter  is not  satisfied, an
escape message is sent.

Security discussion
-------------------

IFS  authority  checking follows  a  different model  than  checking of
objects in  libraries.   Program adoption  and group  adopting are  not
included.

In order to  determine the authority  to an IFS object,  a sub-function
(TAA  RTVIFSEAUT command) uses  an API that  requires the user  to have
*OBJMGT  rights  to the  object.   Since most  users  do not  have this
right,  it  is  necessary  to  use  the  'program  adopt'  function  to
determine the users authority.

The 'program  adopt' function does not  operate when using an  IFS path
name.   However,  using program  adopt allows the  program to  swap the
current profile  for QSECOFR  during  the running  of the  command  and
then  swap  back  to  the  original  using  profile  when  the  command
completes.  Swapping occurs by the use of an API.

The  original user  name is  searched  for in  the list  of authorities
(not the swapped QSECOFR profile name).

The  swapping  of  profiles  allows   a  determination  of  the   users
authority to the object,  but creates a problem in that  the user could
use system  request to 'end request' during the  running of the command
and  henceforth operate as QSECOFR.   This is avoided  by making the CL
program a  'request processor' and  monitoring for  'end request'.   If
'end  request'  occurs,  the  swap  of  profiles  occurs  back  to  the
original profile.

CHKIFSE escape messages you can monitor for
-------------------------------------------

   CPFA0A9     Object not found.
   CPF9898     General escape message. An unrecognized error was
               returned from the API to retrieve attributes for
               the IFS entry. Please check the joblog for more
               information on the error.
   TAA9891     Not authorized to object.

Command parameters                                    *CMD
------------------

   OBJ           Specify  the path  name of  the object to  be checked.
                 The object path  name can be either  a simple name  or
                 a  name  that  is  qualified  with  the  name  of  the
                 directory in which the object is located.

                 A /QSYS.LIB object can be checked.

   AUT           Specifies  the  authorities  to  be  checked for  this
                 user.  The default is *NONE.

                 Authority  checking   using  the   IFS  differs   from
                 authority checking  of  objects in  libraries such  as
                 done  by the  system CHKOBJ  command.   The difference
                 is  that  no  Program  or  Group  adopt  functions are
                 considered.

                 The possible values are  as follows and have  the same
                 meaning as  on the system  CHKOBJ command plus  the PC
                 oriented values such as *RWX:

                   *NONE
                   *ALL
                   *CHANGE
                   *USE
                   *EXCLUDE
                   *OBJALTER
                   *OBJEXIST
                   *OBJMGT
                   *OBJOPR
                   *OBJREF
                   *ADD
                   *DLT
                   *EXECUTE
                   *READ
                   *UPD
                   *RWX - Read, write (add, upd, dlt), and execute
                   *RW  - Read, write (add, upd, dlt)
                   *WX  - Write (add, upd, dlt), execute
                   *R   - Read
                   *W   - Write (add, upd, dlt)
                   *X   - Execute

   USRPRF        The  user profile that will be  switched to during run
                 time.   QSECOFR  is the  default.   For  file  systems
                 (such  as QNTC),  CHKIFSE will  fail  if QSECOFR  does
                 not exist.

                 *CURRENT may  be used or a  specific user profile, but
                 the profile must have *ALLOBJ special authority.

Restrictions
------------

None, the tool is ready to use.

Prerequisites
-------------

The following TAA Tools must be on your system:

     EXTLST          Extract list
     RTVIFSEAUT      Retrieve IFS entry authority
     RTVSPCAUT       Retrieve special authority
     SNDESCMSG       Send escape message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   CHKIFSE       *CMD                   TAAIFSO       QATTCMD
   TAAIFSOC      *PGM    CLP            TAAIFSOC      QATTCL

Added to TAA Productivity tools October 15, 2001

Home Page

Up to Top