Thanks! Right, 'setuid' -- that's the UNIX buzzword my guys used <g>.
I was not aware of PADS. Just found it in the RACF Sec Admin Guide. Looks similar in concept. Might do the job -- let me read through it. I like that it is "supported" and not "security by obscurity." BTW, there is no CA Endevor in this picture -- I just thought that whatever Endevor administrators did might work for my customer. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of John McKown Sent: Tuesday, February 12, 2013 9:40 AM To: [email protected] Subject: Re: How do people lock down the compilers "inside" CA Endevor? Ah, you are thinking of one of two possibilities. One is to use "sudo" which first switches to a specified user (often root), then runs the given command & arguments. Use of this is controlled via a file called /etc/sudoers. This is a rather generic thing. Another way to do it is to write a specific command, Y, which is marked "setuid" or "setgid" to change either the uid or gid or both to the program's uid/gid. That command can then execute the given command, X, via the system() call. z/OS does not have an equivalent facility for batch programs. z/OS UNIX, being a true, branded, UNIX system does have both of the above abilities. Not that it helps you. One thing that does occur to me is to use the PADS in RACF to only allow access to the compiler containing library from your driver program. I'm not too sure about this. Perhaps someone who uses PADS can say? It might will require your "driver" program, Y, residing in a the STEPLIB, with the PADS library (or libraries) being allocated to a different DD name which the driver program OPENs with a DCB, said DCB being passed to ATTACHX via the DCB= parameter in order to change the new TCB's default execution libraries to those on the special DD name. The driver might even have "smarts" to look at some PARM passed to it, validate it, and then use that program in the ATTACHX rather than "hard code" the invoked program. It would make it a bit more difficult to program. And don't ask me how well this will get along with CA-Endevor. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
