On 1/13/2006 4:07 AM, FEJOS Tamas wrote:
We have our own-developed programs, which upgrade themselves automatically
from our ftp server. (z/OS 1.4 with RACF).
Each program has its own userid (due to security and local storage
management reasons) with ftp access.
Each program has its own HFS mounted under /usr/lpp/, eg.
/usr/lpp/fejlsws/
It works well, but due to unix file access rights (eg. others: r-x)
and RACF UACC read, users can read much more files than they should.
So I want to restrict each user to access contents under it's home
directory only. eg. /usr/lpp/fejlsws/.
Not more, no access to / or other directories just under
/usr/lpp/fejlsws/.
As R.S. pointed out, if you can make the user IDs RESTRICTED in RACF
then UACC(READ), GLOBAL, and (if you set some additional options)
permissions for "other" will not apply to those users. They can only
access data you have specifically given them access to.
Other than that, no, there is nothing else other than the FTP exit
previously mentioned. I believe IBM does supply a sample for that exit
that implements the restrictions you have asked for, so if you want to
go with the exit implementing it should be simple.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
