File shares are what make a file system or a directory within a file system available to be accessed via your corporate network. File shares allow users to map a drive to the directory, making the directory appear as part of the PC directory structure when viewed from an interface such as Windows Explorer.
While a convenient way to share data throughout a corporation, defining shares can create serious security exposures if OS/400 object authority has not been utilized. For example, defining a read/write share for the root ('/') directory provides access via the corporate network to the entire directory structure that includes the QSYS.LIB file system -- better known as OS/400.
File shares are created using iSeries Navigator. Go to My Connections->iSeries_name->File Systems->Integrated File System. Right click on the directory or file you want to share. Choose Sharing.
Shares can be defined as read-only or read/write. Obviously, the more secure setting is read-only because -- as the name implies -- users can only read the data that is being shared on the network and not update it. However, whether the share is defined as read-only or read/write, OS/400 security has the final word. For example, if a read-only share is defined for a directory and Carol is excluded from the directory, she will not be able to see the contents of the directory.
To see the existing shares, click on File Shares under File Systems in iSeries Navigator. Right click on a share and choose Properties to see whether the share is read-only or read/write. When viewing directories or files via iSeries Navigator, existing shares are indicated by a hand underneath the directory or file name. See Figure 1.
Figure 1: The hand under the Root directory indicates that a share has been defined. The shares defined on this system are shown on the right.
Because file shares can literally make your entire system available to your corporate network, you want to control the creation of file shares. To do this, control the users that have authority to the QZLSADFS (Add file share) and QZLSCHFS (change file share) APIs. Change the *PUBLIC authority of these APIs to *PUBLIC(*EXCLUDE) and grant *USE authority to the individuals or group(s) that should be able to create or change file shares.
To remove file shares from users' view, use Application Administration. One feature of Application Administration lets you remove features users see when they launch iSeries Navigator. (Note, the function is still there -- they just can't see it. This is truly a case of "security by obscurity." While not the most robust, it works for some users.) To use Application Administration, open iSeries Navigator and right click on the iSeries system name. Choose Application Administration. See Figure 2.
Figure 2: Configuring file share access via Application Administration
Scroll down until you see the File share entry. Uncheck the "Default Access" box and your general user community will not be able to view the file shares on your system. Uncheck the "All Object Access" box and your *ALLOBJ users will not be able to see the file shares. Highlight the File share entry and press Customize. Figure 3 shows how you can allow specific users or groups to view the file share function in iSeries Navigator.
Figure 3: Customizing a user or groups' ability to see file shares through iSeries Navigator
About the author: Carol Woodbury is co-founder of SkyView Partners, LLC, a firm specializing in security consulting, services and assessment software. Carol is the former Chief Security Architect for AS/400 for IBM in Rochester, Minn., and has specialized in security architecture, design and consulting for over 14 years. Carol speaks around the world on a variety of security topics and is co-author of the book, Experts' Guide to OS/400 and i5/OS Security.