Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Security responsibilities and considerations z/OS UNIX System Services File System Interface Reference SA23-2285-00 |
|
z/OS UNIX maintains system security by verifying user identities and file access control information. A PFS is primarily concerned with file access control. For those functions where POSIX .1 (IEEE Standard 1003.1-1990) specifies that "appropriate privilege" is required, the PFS refers to a bit that is set by the LFS to determine whether the function has appropriate privileges. For more information, see "Appropriate Privileges" in the POSIX standards. Access control checks are based on information that is stored with each individual file, and are generally carried out on the system where the data resides. Access control is integrated with the SAF interface to call RACF®, or whichever security product is used at a particular installation. The basic flow of file security is as follows:
In the flow described previously, the PFS provides some private space within the file attributes for the security product's use, ensures common access checking across all PFSs, allows for the installation of different security products, and lets the security product perform auditing or other non-POSIX processing. The PFS is ultimately responsible for the following access checks:
Some events that occur in the LFS are audited for security purposes by the vn_audit operation. For example, because relative pathnames may be audited during an access check, it is important to audit the working directory so that a full pathname can be constructed if necessary. When a user calls chdir() or fchdir(), the LFS invokes vn_audit to record the new working directory. chroot(), which changes the current root, is another call that causes an audit record to be created. Refer to z/OS Security Server RACF Callable Services for more information about these interfaces. PFS support for multilevel security discusses PFS responsibilities and considerations for multilevel security. |
Copyright IBM Corporation 1990, 2014
|