>Basically, any UNIX program which wants to switch identities >(I.e. setuid() / seteuid() functions, aka "su") must either be >UID(0) (root) or have at least READ access to the BPX.DAEMON >profile in the FACILITY class.
Not true! - If BPX.DAEMON is *not* defined any process running with uid(0) can switch to any other userid *without" knowing the target user's password (provided the target userid hat got a uid assigned). - If BPX.DAEMON *is* defined, this process also needs READ permission, and it needs to run in a clean environment to be able to switch identities *without* knowing the pw. - If a process running with uid(0) *knows* the password of the target user, it may switch in any case. - If a process, not necessarily running with uid(0), does not know the pw but has been granted surrogate authority (some other RACF profiles), it may switch identities. Peter Hunkeler CREDIT SUISSE ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
