On Sat, 13 Jun 2015 10:36:05 -0500, Tom Marchant <[email protected]> wrote:
>On Fri, 12 Jun 2015 19:28:01 -0500, Andy Wood wrote: > > >>there were some weasel words in the documentation about >>not allowing "privileged users" to have OMVS segments. > >I don't see any such words in the Statement of Integrity at >http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH&infotype=SA&htmlfid=ZSL03361USEN&attachment=ZSL03361USEN.PDF I did not mean to imply that it was was in the SOI. UNIX System Services Planning, where it discusses BPX.DAEMON, says: "Kernel services that change a caller's z/OS user identity require the target z/OS user identity to have an OMVS segment defined. If you want to maintain this extra level of control at your installation, you must choose which daemons to permit to BPX.DAEMON. You will also have to choose the users to whom you give the OMVS security profile segments." The wording has changed somewhat over the years, but it seems to me that the potential exposure still exists. Actually, I think the new wording makes it less likely that you would realise exactly what they are getting at. It is a situation where having access to root spills over into the world of traditional z/OS security. So, if a user can surreptitiously gain access to root, there is the potential for them to gain access to "anything". People with a Unix background might say "so what is new?", but the very existance of profiles like BPX.DAEMON to me indicates that such spill over was something the designers hoped to prevent. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
