Certain z/OS® Communications Server TCP/IP Services servers need to change the security environment of the process in which they currently execute. For example, the FTPD daemon creates a new z/OS UNIX process for every FTP client connecting to it. After the new process is created, the daemon changes the security environment of the process so that it is associated with the security context of the logged-in user. The RACF® FACILITY class resource BPX.DAEMON is used for this purpose. Table 1 contains information about using the BPX.DAEMON resource.
Task | Details |
---|---|
Decide if you want to activate the BPX.DAEMON level of security by reviewing the information about BPX.DAEMON authority in z/OS UNIX System Services Planning to determine whether this level of security is appropriate for your installation. | This is not required. It is recommended,
however, because it provides additional security in the z/OS UNIX environment.
The following TCP/IP Services servers and daemons in z/OS Communications Server change the security
environment of their processes:
|
Plan the time at which you define BPX.DAEMON carefully. | As soon as you define the BPX.DAEMON resource, MVS™ will not let programs change the security environment unless the programs are retrieved from a program-controlled library and unless the UID under which the program executes has access to BPX.DAEMON. |
If you decide not to define the BPX.DAEMON FACILITY class profile, assign UID(0) for the UIDs associated with these servers and daemons. | This is sufficient for processing. It is described in Other user IDs requiring z/OS UNIX superuser authority. |
If you do decide to define the BPX.DAEMON FACILITY class profile, grant READ access to this profile for the UIDs associated with the listed daemons. Also, enable BPX.DAEMON security by defining the BPX.DAEMON FACILITY class profile in RACF. | To define the BPX.DAEMON FACILITY
class profile in RACF, use
the following command:
Note: You
must specify the name BPX.DAEMON in this command. Substitutions for
the name are not allowed.
|
If all the required conditions are not met, your server programs will fail as soon as you define BPX.DAEMON. If the server programs fail, delete BPX.DAEMON, and the setup reverts to its previous state. Check all your definitions, and make the required corrections before trying to define BPX.DAEMON again.
SETROPTS CLASSACT(FACILITY) GENERIC(FACILITY) AUDIT(FACILITY)
SETROPTS RACLIST(FACILITY)
PERMIT BPX.DAEMON CLASS(FACILITY) ID(ftpd_user_ID) ACCESS(READ)