IP Services: Verify z/OS UNIX file permission settings
Description
As of z/OS V2R2, z/OS UNIX file
security is enhanced to include additional restrictions for some of
the z/OS UNIX files that belong to z/OS Communications Server functions. Table 2 lists the affected z/OS UNIX files.
For any existing file that does not comply with the restrictions,
take the following steps:
- If the file is not a symbolic link or hard link, delete the file.
- If the file is a symbolic link or hard link, change the incorrect permissions of the file or directory, and the owning information if any.
Table 1 provides more details about this migration action. Use this information to plan your changes to the system.
| Element or feature: | z/OS Communications Server. |
|---|---|
| When change was introduced: | z/OS V2R1 with APAR PI16886, and z/OS V1R13 with APAR PI17084. |
| Applies to migration from: | z/OS V2R1 without APAR PI16886, and z/OS V1R13 without APAR PI17084. |
| Timing: | Before the first IPL of z/OS V2R2. |
| Is the migration action required? | Yes, if any files you have are affected by the restrictions in Table 2. |
| Target system hardware requirements: | None. |
| Target system software requirements: | None. |
| Other system (coexistence or fallback) requirements: | None. |
| Restrictions: | None. |
| System impacts: | None. |
| Related IBM® Health Checker for z/OS® check: | None. |
Steps to take
Verify
whether the z/OS UNIX files in Table 2 comply
with the restrictions. To conform with the restrictions, correct any
discrepancies that are found.
| Function | File name | Restrictions |
|---|---|---|
| DCAS | /tmp/dcas.tcpname_or_INET.pid | 1,2,3 |
| IKED | /var/ike/iked.pid | 1,2,3 |
| Network SLAPM2 subagent | /tmp/nslapm2.tcpname.pid | 1,2,3 |
| Policy Agent |
|
1,2,3 |
| Popper | user bulletin and maildrop files in directory /usr/mail | 1,2 |
| RSVP | /tmp/rsvpd.pid.imagename | 1,2,3 |
| SNTP | /etc/sntpd.pid | 1,2,3 |
| Syslog |
|
1,2,3 |
| TCP/IP stack | /tmp/tcpname.Pagent.tmp | 1,2 |
Restrictions:
- If the file is a symbolic link, it must have an owning UID or GID that matches the EUID or EGID that is assigned to the listed function.
- If the file is a hard link or the target of a hard link, users that are outside the owner or group of the directory in which the file is stored cannot have write access to the directory.
- Additionally, write access to the file must be limited to the owning UID or group, for example, --w--w---- permissions.
Reference information
None.