Porting Central

IBM PartnerWorld�

Marketing
Selling
Technical
Training and certification
Collaboration
Products
	Software
	Systems, servers, and storage
	Personal computing
	Semiconductors
	Point-of-sale and self-service
	Printing systems
	Certified used equipment
	Equipment removal
Solutions
Services
Industries
IBM strategies
Orders and fulfillment
Forms and agreements
Events
News and announcements
PartnerWorld program
Contact PartnerWorld

Porting Central

Security

How is authentication information stored on iSeries?

Authentication information is stored in individual "profiles" on iSeries rather than in files like /etc/passwd. Users and groups have profiles. All of these profiles share one name space, so you will not find a user profile named "JOE" and a different group profile also named "JOE."

Are user and group names case sensitive?

User and group names are considered to be mono-case. If you pass a lower case name to getpwnam() or getgrnam() APIs, the system will fold the case to match the name strings as expected. If you call getpwuid() or getgrgid() to get the profile name returned, it will be in upper case.

Does iSeries support uids and gids?

Every user has a uid. Every group has a gid. These are defined according to the POSIX 1003.1 standard; the two numeric spaces are separate, so you can have a user with uid of 104 and a group with a gid of 104 that are distinct from each other.

How does iSeries handle the "super user" or "root" concept?

iSeries has a user profile for the security officer, QSECOFR, that has a uid of 0. No other profile can have the uid of 0. QSECOFR is the most privileged profile on the system and in that sense acts as the root user. However, iSeries also provides a set of specific privileges that can be assigned to individual users by system administrators.

One of these privileges, *ALLOBJ, overrides the discretionary access control, for file access for example, that is a typical use of root privileges on UNIX systems. In a ported application that uses root access, it is probably better security practice to create a specific user id for the "application user" that can be given *ALLOBJ authority, thus avoiding the use of QSECOFR which has much more privilege than is needed by the single application.

Does OS/400 require a user to be a member of a group?

No, unlike UNIX systems, iSeries does not require group membership for users. The gid of 0 for a user profile on iSeries means "no group assigned" rather than referring to a group with more privilege.

[BACK]

Porting Tool Kit

	How do I get started?
	IBM porting services
	Non-IBM porting services
	Download GNU Utilities
	UNIX Porting FAQ
	Porting Tips
	Performance
	Reference Library
	Example Code
	Development Tools

Topics

	Overview


	Tailoring


	Porting


	Infrastructure