Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
BPX.DAEMON z/OS UNIX System Services Planning GA32-0884-00 |
|
If the BPX.DAEMON resource in the FACILITY class is defined, your system has z/OS UNIX security. Your system can exercise more control over your superusers. This level of security is for customers with stricter security requirements who need to have some superusers maintaining the file system but want to have greater control over the z/OS resources that these users can access. Although BPX.DAEMON provides some additional control over the capabilities of a superuser, a superuser should still be regarded as a privileged user because of the full range of privileges the superuser is granted. The additional control that BPX.DAEMON provides involves the use
of kernel services such as setuid() that change a caller's z/OS user identity.
Any user can issue a setuid() which follows a successful __passwd()
call to the same target user ID. However, a user with daemon authority
can issue setuid() without knowing the target user's password or password
phrase. With BPX.DAEMON defined, a superuser process can run these
types of change services and identity if the following statements
are true:
Kernel services that change a caller's z/OS user identity require the target z/OS user identity to have an OMVS segment defined. If you want to maintain this extra level of control at your installation, you must choose which daemons to permit to BPX.DAEMON. You will also have to choose the users to whom you give the OMVS security profile segments. To accomplish this, see Steps for preparing the security program for daemons. The RACF WARN mode is not supported for BPX.DAEMON. |
Copyright IBM Corporation 1990, 2014
|