1.Administrators should never export the ªrootº (/) Directory. Remember that whenever you export a ®le system, you also export all of the directories and objects ªdownstreamº of the path. Should the ªrootº (/) directory become exported, all the other directories and objects downstream of ªrootº (/) will become exported as well. Export only what is needed by clients.

2.Administrators should never export any ®le system to ªthe world,º allowing universal client access to information. Instead, administrators should tailor each exported ®le system to the needs of each client. Opening up the server to access from ªthe worldº allows for unknown users to mount and change your ®les at will. Export only to speci®c clients.

See ªExporting to″The World″º on page 89 for more information about limiting your exports.

3.Administrators should very cautiously give QNFSANON universal access to any ®le system whatsoever. Doing so allows unknown (anonymous) users to mount and change ®le systems. Export only to clients who need ®le systems.

See ªAnonymous Usersº for more information about limiting access to anonymous users.

Export Options

There are two major ways to export a ®leinsecurely to the network namespace:

1.Administrators can give anonymous users access to exported ®le systems by allowing unknown users to read and make changes to data.

2.Administrators can export to ªthe world,º meaning that all those users both within and outside of the trusted community can access the exported data.

It is not necessary to distribute ®le systems to unknown users or systems not in the trusted community. The administrator of an NFS server should only ever export the proper data for the proper clients at any given time.

Anonymous Users

To prohibit anonymous users from gaining access to exported ®le systems, it is important to completely understand the ANON option of the CHGNFSEXP command. You can specify that anonymous or unknown UIDs be mapped to the QNFSANON UID, giving those users a level of access on AS/400.

To prevent this from occurring, an administrator can specify ANON=-1to prohibit anonymous users from mapping to QNFSANON on the system. Remember that the default option value is QNFSANON, which translates to giving anonymous users *USER authority. This will allow anonymous users to read ®les, but not write to them. Administrators can also specify a UID with a different default authority with this option.

When users are mapped to QNFSANON, any objects they create belong to that pro®le, andnot to their user pro®le. For example, a user named Cayce has a UID of 123 and mounts a server ®le system on a client. Cayce then creates a ®le. The owner of this ®le is QNFSANON,not Cayce. A display of the permissions reveals the read, write, and execute authorities belong only to the owning pro®le, QNFSANON. Cayce has no access to the ®le he just created because he is not the owner.

The solution to this problem is to follow one of these procedures:

vCreate the ®le with open permissions for ªthe worldº

88OS/400 Network File System Support V4R4

Page 105 Page 107
Page 106
Image 106
IBM AS/400E manual Export Options, Anonymous Users
Page 105 Page 107

AS/400E specifications

The IBM AS/400E, now more commonly known as IBM i, is a robust and versatile midrange server that has been designed to provide a comprehensive computing solution for businesses of all sizes. First introduced in the late 1980s, the AS/400 series has undergone multiple enhancements and rebranding, with the AS/400E being one of the notable iterations. This powerful platform is closely associated with IBM's commitment to reliability, scalability, and integrated business solutions.

One of the main features of the AS/400E is its highly integrated architecture that combines hardware and software into a cohesive system. This integration allows for seamless operations, reducing the complexity typically associated with managing disparate systems. The system is powered by IBM's proprietary OS/400 operating system, which has evolved into IBM i, featuring advanced capabilities like object-oriented programming, integrated database management, and security features that are essential for enterprise environments.

A key characteristic of the AS/400E is its robust database support, primarily through the use of DB2 for i. This integrated database management system enables efficient data handling and retrieval, facilitating real-time business analytics and reporting. Furthermore, the platform supports a variety of programming languages, including RPG, COBOL, and Java, making it flexible for developers who require diverse tools for application development.

The AS/400E is also known for its exceptional reliability and uptime, making it a preferred choice for critical business applications in industries such as finance, healthcare, and manufacturing. This reliability is backed by advanced error detection and correction mechanisms, as well as redundancy features that help prevent data loss and minimize downtime.

In terms of scalability, the AS/400E can effortlessly expand to accommodate growing business demands. Organizations can increase processing power by adding more resources without significant disruption. This scalability, combined with the system’s built-in virtualization capabilities, allows businesses to optimize resource usage and streamline operations.

Security is another defining feature of the AS/400E. The platform incorporates various layers of security measures, including user authentication, encryption, and comprehensive auditing capabilities, ensuring that sensitive business data is protected against unauthorized access.

Overall, the IBM AS/400E remains a powerful tool in the enterprise computing landscape, providing businesses with an integrated, reliable, and secure solution for their technological needs. Its enduring popularity is a testament to its capability to evolve with changing business requirements while maintaining its core attributes of high performance and stability.
Top Page Image Contents