Perform the following steps to prepare RACF® for daemons:
- Define BPX.DAEMON to permit users that are known
as daemons to query or modify the z/OS security
environment of a process.
RDEFINE FACILITY BPX.DAEMON UACC(NONE)
Rule: You
must use the name BPX.DAEMON. Substitutions are not allowed.Tip: The
system administrator must be defined to the daemon FACILITY class
so that if a daemon process fails, the system administrator can restart
it. To authorize a current RACF security
administrator to be a superuser who can restart daemons, issue:
PERMIT BPX.DAEMON CLASS(FACILITY) ID(RACFADM) ACCESS(READ)
_______________________________________________________________
- If this is the first FACILITY class that the installation
has defined, activate it.
SETROPTS CLASSACT(FACILITY)
SETROPTS RACLIST(FACILITY)
_______________________________________________________________
- Give daemon authority to the kernel. Most daemons that inherit
their identities from the kernel address space are started from /etc/rc.
Example: To
authorize the OMVSKERN user ID to BPX.DAEMON, issue:
PERMIT BPX.DAEMON CLASS(FACILITY) ID(OMVSKERN) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
_______________________________________________________________
- Define a superuser with a user ID of BPXROOT on all systems so
that daemon processes can invoke setuid() for superusers.
ADDUSER BPXROOT DFLTGRP(OMVSGRP) OMVS(UID(0)
HOME('/') PROGRAM('/bin/sh'))
NOPASSWORD
The
NOPASSWORD option indicates that BPXROOT is a protected user ID that
cannot be used to enter the system by using a password or password
phrase. The user ID will not be revoked due to invalid logon attempts.
_______________________________________________________________
- On the SUPERUSER statement in BPXPRMxx, specify the user ID that
the kernel will use when you need a user ID for UID(0).
Example: SUPERUSER(BPXROOT)
If
you do not specify the SUPERUSER statement, the default is BPXROOT.
The
BPXROOT user ID should not be permitted to the BPX.DAEMON FACILITY
class profile. The BPXROOT user ID is used when a daemon process invokes
setuid() to change the UID to 0 and the user name has not been previously
identified by getpwnam() or by the _passwd() function. This action
prevents the granting of daemon authority to a superuser who is not
defined to BPX.DAEMON.
_______________________________________________________________
When you are done, you have prepared RACF for
daemons. To complete the security setup, you must also activate program
control, as described in Customizing the system for IBM-supplied daemons.