Find out what they're trying to do "as superuser".
Based on the hint you provide, that it's an FTP-like product, the
requirement might be for authentication and/or authorization. In
traditional Unix environments, that's a legitimate use of UID 0 (even
though, yeah, too much authority to the application). But on z/OS there
are safer ways to perform authentication (and/or authorization).
It's frustrating to hear about this. The demand for UID 0 and related
privilege escalations has led to all sorts of countermeasures, most of
which have created additional problems.
I run most services each under their own service account.
There are too many ways to selectively escalate for mention in this email.
Find out what this vendor really needs. They're going to have to tell
you. It's fair for you to tell them "no UID(0)".
-- R; <><
On 4/11/23 15:06, Colin Paice wrote:
I've been reviewing someone's (ftp like) product documentation, and they
say that the userid that runs their product needs id(0) to be able to run.
This feels like giving too much authority to the userid. Is there a better
way of defining the userid and its access to resources to be able to
eliminate the need for id(0)?
Colin
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
