On Fri, 21 Aug 2015 09:33:00 -0500, Mark Zelden wrote: >On Fri, 21 Aug 2015 08:56:31 -0500, Walt Farrell wrote: >> >>To prevent that security exposure you need to ensure that the mount >>specifications for all those userid-prefixed zFS data sets specify NOSETUID, >>which is not the default. > >Thanks Walt! Great point that I didn't think to mention because I set this up >so long >ago I forgot about that consideration. I do have that set on the systems / >sysplexes >that use the user's HLQ. For example: > >name * >type ZFS >filesystem <uc_name>.TPLEX.ZFS >mode rdwr >duration 10 >delay 10 >setuid no >allocuser space(2,1) cyl > Beware also of "uc_name", which allows a nuisance (perhaps inadvertent) DoS attack. Prevent this with either "charcase lower" or "charcase upper" (or "asis_name"), at the cost of losing some flexibility in naming.
(Would asis_name with DISABLE(DSNCHECK) also work?) -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
