McKown, John wrote:
-----Original Message-----
From: IBM Mainframe Discussion List
[mailto:[EMAIL PROTECTED] On Behalf Of R.S.
Sent: Monday, November 13, 2006 9:58 AM
To: [email protected]
Subject: Re: Unix Security
<snip>
IMHO the better idea is to have dadicated user fo BPXPRMxx
SUPERUSER. It
should be very limited userid. Not used anywhere.
Daemons should use other userid(s).
BTW: whye the "live person" shouldn't have UID(0) ?
I mean person who really needs it, not everyone.
--
Radoslaw Skorupka
Personal opinion time on that last question.
1) I've never seen anybody who "really needs it" when the other RACF
facilities are properly set up.
2) Auditors tend to not like it. So avoid an unnecessary fight with
them. Especially in view of the above.
IMHO it's sometimes easier to have UID(0) than issuing su everytime.
Less effort, less errors.
As you wrote it's because auditors want it. I understand your point,
however I'm curious whether there's any real reason.
Those two are sufficient for me. As to started tasks which need UID(0)
running with different RACF ids, that is OK by me.
So, you're using "generic UID(0) for STC" and dedicatd user for WAS.
That's OK.
My suggestion is to avoid using BPXPRM SUPERUSER as "generic UID(0) for
STC". Assuming some hacker will get UID(0) the system will assign him
the "SUPERUSER" userid. That's why it is good to define it as much as
restricted.
Regards
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
