File permissions

General discussion on Zend Server for IBM System i
Post Reply
adominguez24
Posts: 19
Joined: Tue Jun 29, 2010 8:14 pm

File permissions

Post by adominguez24 » Wed Oct 07, 2015 2:47 pm

Hello,

I have a problem with file permissions. I connect to the IBM i through a share drive (htdocs) to create new PHP files. I am able to edit or delete those files since I created them and I'm owner of those files. The problem is when I run those PHP files through the browser and that PHP script create other files (CSV, logs, etc.) those newly created files are not owned by me and I am unable to delete/edit them. I was told by our admin that giving my account All Obj Auth is a bad idea and not recommended. Is there another way to some how give my account permission to any files created under the zendsvr6/htdocs folder?


IBM i Version: 6.1
ZS Version: 7 (with the latest Hotfix)


Thank you,

Anthony

paul5383
Posts: 6
Joined: Fri Aug 07, 2015 3:53 am

Re: File permissions

Post by paul5383 » Sat Oct 10, 2015 3:35 am

Are you creating user files under zendsvr6/htdocs (e.g. CSV)? If so I would change this to write to something like the /home/xxx folder (where xxx is some other folder), or have another folder under root where you can control the permissions.

To give yourself access to zendsvr6/htdocs you can use the chgaut command to grant permissions for your user profile. Your colleague is right, *ALLOBJ is not a great solution.

timo_karvinen
Posts: 82
Joined: Wed Aug 12, 2009 7:58 am
Location: Tampere, Finland
Contact:

Re: File permissions

Post by timo_karvinen » Wed Oct 14, 2015 2:58 pm

I think on newer versions of Zend Server on i the user profile that owns files created by PHP is QTMHHTTP (used to be NOBODY in old versions).
Now QTMHHTTP by default has group profile NOGROUP, but unfortunately it also defines Owner-parameter as itself (*USRPRF) and not the group (*GRPPRF).
If your admin would allow change on QTMHHTTP profile to set it with OWNER(*GRPPTF) and then your profile would be added to NOGROUP you would have access to PHP created files.
Or the other way to achieve the same is to leave QTMHHTTP as owner of new objects but change it's GRPAUT value to *ALL/*CHANGE to give authority to NOGROUP members.

And of course you can just chown / chgrp the created file in your PHP script to get more appropriate owner for the file, but this is bit more cumbersome to do everywhere you create files.

-Timo

Post Reply