Have a look at getpwent. If I am not allowing a user to list RACF users, why are they allowed to list it via this command using syscalls?
ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: [email protected] **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Tue, Apr 27, 2021 at 3:17 PM John McKown <[email protected]> wrote: > On Tue, Apr 27, 2021 at 7:07 AM Paul Gilmartin < > [email protected]> wrote: > > > On Tue, 27 Apr 2021 14:33:01 +0300, ITschak Mugzach wrote: > > > > >a user asks to have access to the uss sleep syscall. We would like to > > limit > > >the user only to this function. is this possible? > > > > > Why? Are there any security risks with other SYSCALLs? > > > > And how are you preventing such access now? > > > > How would you prevent access to Callable Services by means > > other than Rexx? > > > > I suspect the Totalitarian Principle is operating here: "Anything > > not compulsory is forbidden!" > > > Perhaps. I know that many z/OS types & management likes to "lock down" > everything in sight. I just got issued a new company laptop. It, > supposedly, comes with everything that I need to do my job. And nothing > else. I cannot install or uninstall anything. It automatically logs into > the corporate LAN, which has a corporate "net nanny" installed. I don't > mind much because it does really have the minimal that I need to do my > assigned work. But, on my old Windows machine, I could install PERL and > AWK, which I often used to do "ad hoc" processing. I can do this on our > mainframe, but that costs MSUs, which costs money, which has people asking > "what are you doing". Curiously, I do the same thing using REXX in batch > or TSO & there is not a murmur. (don't tell them, but I have a Linux > desktop on which I have installed PostgreSQL. I use IRRDBU00 to create a > RACF unload which I ftp down & put into a database to generate reports.) > > > > > > > -- gil > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
