On Fri, 21 Aug 2015 08:40:38 -0500, Mark Zelden <[email protected]> wrote:
> >User zFSes (automounted) are a mixture between the two major companies I >support. >One of them uses their personal HLQ, for example userid.OMVS.ZFS, and the other >one uses a system HLQ, for example SYSO.userid.ZFS or SYS.OMVS.userid.zFS. >I can see why there is a recommendation for the latter because the average >user really doesn't need access to their physical file system, but I also >don't have a problem with the HLQ being the same as all their other files. >The user can delete their zFS all they want and they aren't going to destroy >anything in the system or any other persons data nor application data. If you're going to have zFS data sets prefixed with user IDs you need to be very careful how you mount them. You probably know that, but others may not. The real danger with such data sets is that the users can update them directly, and change the permission bits and other metadata for files, such that executable files within the zFS will run with UID(0) (superuser) or some other user's authority, or run APF-authorized or program-controlled. To prevent that security exposure you need to ensure that the mount specifications for all those userid-prefixed zFS data sets specify NOSETUID, which is not the default. -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
