Rob, and everyone,
Considering the SERIOUS CONSEQUENCES of allowing read-write shares to the root of the IFS, in these days of "Ramsomware" attacks, etc., I think we need an RFC and get everyone to vote on it, such that IBM permanently "bans" all read-write "shares" of the root file system on IBM i.
What do you all think?
Mark S. Waterbury
On Tuesday, October 20, 2020, 11:31:08 AM EDT, Rob Berendt <rob@xxxxxxxxx> wrote:
You do not use WRKLNK to set up shares. You use it to handle things in the IFS. Sharing is done through other interfaces such as iACS or the webby navigator for i. Or even GO NETS if you have that loaded.
The reason I bring this up is I was just on a webinar. Part of it was discussing the evils of sharing the root on IBM i. Something I wholeheartedly agree with.
You can use multiple interfaces such as WRKLNK, iACS, etc to define security on a share. That is totally different than using interfaces other than WRKLNK to define a share as update or read only.
Ok, now with this in mind, this happened on the chat:
Audience Question
Q: wrklnk '/' should have no write permission? Also qopensys/ibm?
A: Correct, never share the root
Well, if someone does this, and uses WRKLNK to change the authority on '/' to read only they just made the system unusable to a bulk of people. They should expect a large crowd of pitchforks and torches.
What they should have done is use one of the interfaces other than WRKLNK to either remove any shares on '/', or to mark the share as read only.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 7310 Innovation Blvd, Suite 104
Ft. Wayne, IN 46818
Ship to: 7310 Innovation Blvd, Dock 9C
Ft. Wayne, IN 46818
http://www.dekko.com
midrange.com
