BPX.DAEMON FACILITY class profile

Certain z/OS® Communications Server TCP/IP Services servers need to change the security environment of the process in which they currently execute. For example, the FTPD daemon creates a new z/OS UNIX process for every FTP client connecting to it. After the new process is created, the daemon changes the security environment of the process so that it is associated with the security context of the logged-in user. The RACF® FACILITY class resource BPX.DAEMON is used for this purpose. Table 1 contains information about using the BPX.DAEMON resource.

Table 1. BPX.DAEMON
Task	Details
Decide if you want to activate the BPX.DAEMON level of security by reviewing the information about BPX.DAEMON authority in z/OS UNIX System Services Planning to determine whether this level of security is appropriate for your installation.	This is not required. It is recommended, however, because it provides additional security in the z/OS UNIX environment. The following TCP/IP Services servers and daemons in z/OS Communications Server change the security environment of their processes: FTPD Network security services (NSS) server Policy Agent z/OS UNIX REXECD z/OS UNIX RSHD z/OS UNIX TELNETD
Plan the time at which you define BPX.DAEMON carefully.	As soon as you define the BPX.DAEMON resource, MVS™ will not let programs change the security environment unless the programs are retrieved from a program-controlled library and unless the UID under which the program executes has access to BPX.DAEMON.
If you decide not to define the BPX.DAEMON FACILITY class profile, assign UID(0) for the UIDs associated with these servers and daemons.	This is sufficient for processing. It is described in Other user IDs requiring z/OS UNIX superuser authority.
If you do decide to define the BPX.DAEMON FACILITY class profile, grant READ access to this profile for the UIDs associated with the listed daemons. Also, enable BPX.DAEMON security by defining the BPX.DAEMON FACILITY class profile in RACF.	To define the BPX.DAEMON FACILITY class profile in RACF, use the following command: `RDEFINE FACILITY BPX.DAEMON UACC(NONE)` Note: You must specify the name BPX.DAEMON in this command. Substitutions for the name are not allowed.

If all the required conditions are not met, your server programs will fail as soon as you define BPX.DAEMON. If the server programs fail, delete BPX.DAEMON, and the setup reverts to its previous state. Check all your definitions, and make the required corrections before trying to define BPX.DAEMON again.

If this is the first FACILITY class profile that your installation is using, activate the FACILITY class using the following commands:

SETROPTS CLASSACT(FACILITY) GENERIC(FACILITY) AUDIT(FACILITY)
SETROPTS RACLIST(FACILITY)

If you start server programs using MVS start commands or from shell scripts that execute after startup of z/OS UNIX, you must allow the UIDs access to the BPX.DAEMON FACILITY class resource. The following example shows the UID (ftpd_user_ID) with which you can start the FTPD daemon:

PERMIT BPX.DAEMON CLASS(FACILITY) ID(ftpd_user_ID) ACCESS(READ)

Authorization to change the user security environment is granted only if both of the following two conditions are true:

The server program is executing under a UID that has READ permission to the BPX.DAEMON FACILITY class profile and a UID=0.
All programs running in the address space have been retrieved from a controlled library.