Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Security responsibilities and considerations z/OS UNIX System Services File System Interface Reference SA23-2285-00 |
|
The security structure of z/OS UNIX consists of two parts: the user's identity and the file's access control information. A VFS server is primarily concerned with the user's identity. As a z/OS UNIX "superuser," a VFS server has free access to all z/OS UNIX resources. Consequently, it is the VFS server's responsibility to make sure that everything it does on behalf of a particular end user is done under the authority of that end user. For a VFS server that is directly invoked by a local user, such as by a command, the simplest thing to do is to require that the invoker be a superuser. If the VFS server runs as a setuid program or is a more traditional client/server type of server, the rest of this topic applies. It is expected that a VFS server will assume the identity of its
end user while making calls to z/OS UNIX services.
This consists of several steps:
Access control checks are performed by the PFSs that own the data. These checks are based on information that is associated with each individual file. The VFS server does not control these access checks except for read and write operations. For more information about these interfaces, seez/OS Security Server RACF Callable Services. |
Copyright IBM Corporation 1990, 2014
|