Even on native Linux these days Security-Enhanced Linux (SELinux) is
being used increasingly to limit the need for system or service
processes to run as UID 0 by allowing a much more granular granting of
access to filesystem and other resources. One of the things that
attracted me, a former RACF admin, to Fedora Linux was its early support
for SELinux; although there are still Fedora users that choose to run
with SELinux in "disabled" mode to avoid dealing with any issues SELinux
can cause: Unlike RACF, there are default categorization of resources
and default access policies that are embedded with the system and
system-level application installation with the intent of providing
reasonable protections with no additional post-installation
customization. Unfortunately those defaults are sometimes in error for
specific applications, and most users with a personal Linux system just
for running common user applications would have no clue how to diagnose
or resolve SELinux problems. Sometimes the maintenance people for
those applications have no clue either, because they personally run with
SELinux disabled and whoever understood SELinux well enough to set up
the SELinux defaults for the application is no longer available.
One would hope that by now RACF would at least have the ability to
permit the same level of granularity of access as SELinux provides in
native Linux. With better control over long-term development goals, it
should be easier to push for avoidance of UID 0 requirements in z/OS
than in the Linux universe, where individuals on multiple volunteer
maintenance teams must first be convinced to support running with
SELinux in "enforcing" mode.
Joel C. Ewing
On 4/11/23 14:22, Rick Troth wrote:
Find out what they're trying to do "as superuser".
Based on the hint you provide, that it's an FTP-like product, the
requirement might be for authentication and/or authorization. In
traditional Unix environments, that's a legitimate use of UID 0 (even
though, yeah, too much authority to the application). But on z/OS
there are safer ways to perform authentication (and/or authorization).
It's frustrating to hear about this. The demand for UID 0 and related
privilege escalations has led to all sorts of countermeasures, most of
which have created additional problems.
I run most services each under their own service account.
There are too many ways to selectively escalate for mention in this
email.
Find out what this vendor really needs. They're going to have to tell
you. It's fair for you to tell them "no UID(0)".
-- R; <><
On 4/11/23 15:06, Colin Paice wrote:
I've been reviewing someone's (ftp like) product documentation, and they
say that the userid that runs their product needs id(0) to be able to
run.
This feels like giving too much authority to the userid. Is there a
better
way of defining the userid and its access to resources to be able to
eliminate the need for id(0)?
Colin
...
--
Joel C. Ewing
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
