z/OS UNIX System Services Planning
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Security considerations for the automount policy

z/OS UNIX System Services Planning
GA32-0884-00

In the MapName file, the setuid keyword specifies whether to support or ignore the setuid or setgid mode bits on executable files loaded from the file system. The default is yes.

For security reasons, consider specifying "setuid no" . If you do, then the setuid and setgid flags in the permission bits are ignored, as well as the program control extended attribute (+p) and the APF-authorized extended attribute (+a). Consider the following:
  • UNIX files and directories are contained in MVS™ data sets.
  • UNIX users using these files and directory do not need access to these MVS data sets. Only the kernel and your storage administrators need access to the data sets.
  • If you give the users direct access to the MVS data sets by giving them UPDATE access in a RACF® profile protecting the data sets, or by naming the data sets with the user ID as the HLQ, and you do not specify "setuid no" when mounting, you have a security exposure.
Parent topic: MapName

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014