z/OS UNIX System Services Planning
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for preparing the security program for daemons

z/OS UNIX System Services Planning
GA32-0884-00

Before you begin: You need to follow the procedures for security as described in:
  1. Preparing RACF.
  2. Defining z/OS UNIX users to RACF and Defining group identifiers (GIDs).
  3. Controlling access to files and directories.
Perform the following steps to prepare RACF® for daemons:
  1. Define BPX.DAEMON to permit users that are known as daemons to query or modify the z/OS security environment of a process. 
    RDEFINE FACILITY BPX.DAEMON UACC(NONE)
    Rule: You must use the name BPX.DAEMON. Substitutions are not allowed.
    Tip: The system administrator must be defined to the daemon FACILITY class so that if a daemon process fails, the system administrator can restart it. To authorize a current RACF security administrator to be a superuser who can restart daemons, issue: 
    PERMIT BPX.DAEMON CLASS(FACILITY) ID(RACFADM) ACCESS(READ)

    _______________________________________________________________

  2. If this is the first FACILITY class that the installation has defined, activate it. 
    SETROPTS CLASSACT(FACILITY)
SETROPTS RACLIST(FACILITY)

    _______________________________________________________________

  3. Give daemon authority to the kernel. Most daemons that inherit their identities from the kernel address space are started from /etc/rc.
    Example: To authorize the OMVSKERN user ID to BPX.DAEMON, issue: 
    PERMIT BPX.DAEMON CLASS(FACILITY) ID(OMVSKERN) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH

    _______________________________________________________________

  4. Define a superuser with a user ID of BPXROOT on all systems so that daemon processes can invoke setuid() for superusers. 
    ADDUSER BPXROOT DFLTGRP(OMVSGRP) OMVS(UID(0)
      HOME('/') PROGRAM('/bin/sh'))
NOPASSWORD

    The NOPASSWORD option indicates that BPXROOT is a protected user ID that cannot be used to enter the system by using a password or password phrase. The user ID will not be revoked due to invalid logon attempts.

    _______________________________________________________________

  5. On the SUPERUSER statement in BPXPRMxx, specify the user ID that the kernel will use when you need a user ID for UID(0).
    Example: 
    SUPERUSER(BPXROOT)

    If you do not specify the SUPERUSER statement, the default is BPXROOT.

    The BPXROOT user ID should not be permitted to the BPX.DAEMON FACILITY class profile. The BPXROOT user ID is used when a daemon process invokes setuid() to change the UID to 0 and the user name has not been previously identified by getpwnam() or by the _passwd() function. This action prevents the granting of daemon authority to a superuser who is not defined to BPX.DAEMON.

    _______________________________________________________________

When you are done, you have prepared RACF for daemons. To complete the security setup, you must also activate program control, as described in Customizing the system for IBM-supplied daemons.

Parent topic: z/OS UNIX level

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014