The following security measures should be addressed when you install
the z/OS NFS server and client:
- All programs that come with the z/OS NFS server and client must
reside in an APF-authorized program library.
- You need to define the z/OS NFS server and client to resource
access control facility (RACF) and assign the necessary level of authority.
You do this by defining a RACF user ID with an OMVS
segment for the z/OS NFS server and client. Because the z/OS
NFS server and client are run as started tasks, you also need to define
an entry in the RACF-started procedures table which associates the
z/OS NFS server and client startup procedure names with the previously
defined user IDs. For more information about coding and replacing
the RACF-started procedure table, see z/OS Security Server RACF Security Administrator's Guide and z/OS Security Server RACF System Programmer's Guide.
The
z/OS NFS server can now be set up with the
trusted attribute
as follows:
ADDUSER mvsnfs OMVS(UID(1000))
SETROPTS GENERIC(STARTED) (If not already active)
SETROPTS CLASSACT(STARTED) (If not already active)
RDEFINE STARTED mvsnfs.* STDATA(USER(mvsnfs) GROUP(sys1) TRUSTED(YES)) OWNER(mvsnfs)
SETROPTS RACLIST(STARTED) REFRESH
Note: The UID of 1000 is chosen for illustrative purposes only
and can be specified as any non-0 valid UID value.
The z/OS NFS client can now be set up with the
trusted attribute as follows:
ADDUSER mvsnfsc OMVS(UID(0))
SETROPTS GENERIC(STARTED) (If not already active)
SETROPTS CLASSACT(STARTED) (If not already active)
RDEFINE STARTED mvsnfs.* STDATA(USER(mvsnfsc) GROUP(sys1) TRUSTED(YES)) OWNER(mvsnfsc)
With
trusted authority, the NFS server can perform the following tasks:
- Reconstruct the mount points (from the active mount handle data
set) upon startup
- Handle mount requests from client prior to user login
- Handle ls or nfsdir list commands prior to user
login
- Be a trusted user during normal operation
For more information on using trusted authority,
see z/OS MVS Initialization and Tuning Reference. A trusted started procedure or address space is
treated as a z/OS UNIX superuser if a z/OS UNIX user identifier (UID)
is assigned to it in the OMVS segment, even when the assigned UID
is not 0.
During actual remote client file
access, the z/OS NFS server first RACROUTEs the remote client's user
ID to determine if the remote client is authorized to access the file
system. If the remote client is authorized, the z/OS NFS server switches
to its own user ID, which has trusted authority, to access the file
system.
- You need to define a z/OS UNIX segment for the z/OS
NFS client in the RACF user profile. The z/OS NFS client does not
require UID 0 authority to operate.
- You can set up the z/OS NFS client with the trusted
attribute in the same way as the z/OS NFS Server.
For TCP/IP security information, see
z/OS Communications Server: IP Configuration Guide.
For z/OS UNIX security information, see z/OS UNIX System Services Planning.