z/OS UNIX System Services Planning
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Comparing UNIX security and z/OS UNIX security

z/OS UNIX System Services Planning
GA32-0884-00

Some of the people who perform z/OS® UNIX tasks have a background in MVS™, while others have experience in UNIX systems other than z/OS UNIX.

MVS, traditional UNIX, and z/OS UNIX systems manage user identities differently. Table 1 contrasts various aspects of security on these systems.
Table 1. Comparing traditional UNIX, MVS, and z/OS UNIX security. This table compares the aspects of security on traditional UNIX, MVS, and z/OS UNIX systems.
Category Traditional UNIX MVS z/OS UNIX
User identity Users are assigned a unique UID, a 4-byte integer and user name. Users are assigned a unique user ID of 1-to-8 characters. Users are assigned a unique user ID with an associated UID.
Security identity UID User ID UID for accessing traditional UNIX resources and the user ID for accessing traditional z/OS resources
Login ID Name used to locate a UID Same as the user ID Same as the user ID
Special user Multiple user IDs can be assigned a UID of 0. RACF® administrator assigns necessary authority to users. Multiple user IDs can be assigned a UID of 0 or users can be permitted to BPX.SUPERUSER.
Data set access Superuser can access all files. All data sets controlled by RACF profiles. Superuser can access all UNIX files; data sets controlled by RACF profiles.
Identity change from superuser to regular user Superuser can change the UID of a process to any UID using setuid() or seteuid() functions. APF-authorized program can invoke SAF service to change identity. There are two options:
  1. If BPX.DAEMON is not defined, the superuser can change the UID of a process to any UID using setuid() or seteuid() functions.
  2. Or, the superuser must be permitted to BPX.DAEMON in order to change UIDs.
Identity change from regular user to superuser The su shell command allows change if user provides password for the root. Password phrases are not used in traditional UNIX security. No provision for unauthorized user to change identity. The su shell command allows change if the user is permitted to BPX.SUPERUSER or if the user provides the password or password phrase of a user with a UID of 0.
Identity change of a regular user from one UID to another UID The su shell command allows change if user provides password. Password phrases are not used in traditional UNIX security. No provision for unauthorized user to change identity. The su shell command allows change if user provides password or password phrase.
Terminate user processes Superuser can kill any process. MVS operator can cancel any address space. Superuser can kill any process.
Multiple logins Users can login to a single user ID multiple times. Users can only log on to TSO/E once per user ID. Users can rlogin multiple times to a single user ID and logon once to TSO/E at the same time.
Login daemons inetd, rlogind, lm, and telnetd process user requests for login. A process is created with the user identity (UID). TCAS and VTAM® process user requests for logon. A TSO/E address space (process) is created with the user identity (user ID). Users can log on to TSO/E or login using one of the login daemons. In all cases, an address space is created with both an MVS identity (user ID) and a UID.
Parent topic: Setting up for daemons

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014