On Fri, 21 Aug 2015 08:56:31 -0500, Walt Farrell <[email protected]> wrote:
>On Fri, 21 Aug 2015 08:40:38 -0500, Mark Zelden <[email protected]> wrote: > >> >>User zFSes (automounted) are a mixture between the two major companies I >>support. >>One of them uses their personal HLQ, for example userid.OMVS.ZFS, and the >>other >>one uses a system HLQ, for example SYSO.userid.ZFS or SYS.OMVS.userid.zFS. >>I can see why there is a recommendation for the latter because the average >>user really doesn't need access to their physical file system, but I also >>don't have a problem with the HLQ being the same as all their other files. >>The user can delete their zFS all they want and they aren't going to destroy >>anything in the system or any other persons data nor application data. > >If you're going to have zFS data sets prefixed with user IDs you need to be >very careful how you mount them. You probably know that, but others may not. >The real danger with such data sets is that the users can update them >directly, and change the permission bits and other metadata for files, such >that executable files within the zFS will run with UID(0) (superuser) or some >other user's authority, or run APF-authorized or program-controlled. > >To prevent that security exposure you need to ensure that the mount >specifications for all those userid-prefixed zFS data sets specify NOSETUID, >which is not the default. > >-- >Walt Thanks Walt! Great point that I didn't think to mention because I set this up so long ago I forgot about that consideration. I do have that set on the systems / sysplexes that use the user's HLQ. For example: name * type ZFS filesystem <uc_name>.TPLEX.ZFS mode rdwr duration 10 delay 10 setuid no allocuser space(2,1) cyl Best Regards, Mark -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS ITIL v3 Foundation Certified mailto:[email protected] Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://search390.techtarget.com/ateExperts/ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
