Mark, What are you displaying in your example?
. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 626-302-7535 Office 323-715-0595 Mobile [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Mark Zelden Sent: Friday, August 21, 2015 7:33 AM To: [email protected] Subject: Re: Catalog for OMVS datasets On Fri, 21 Aug 2015 08:56:31 -0500, Walt Farrell <[email protected]> wrote: >On Fri, 21 Aug 2015 08:40:38 -0500, Mark Zelden <[email protected]> wrote: > >> >>User zFSes (automounted) are a mixture between the two major companies I >>support. >>One of them uses their personal HLQ, for example userid.OMVS.ZFS, and >>the other one uses a system HLQ, for example SYSO.userid.ZFS or >>SYS.OMVS.userid.zFS. >>I can see why there is a recommendation for the latter because the >>average user really doesn't need access to their physical file system, >>but I also don't have a problem with the HLQ being the same as all their >>other files. >>The user can delete their zFS all they want and they aren't going to >>destroy anything in the system or any other persons data nor application data. > >If you're going to have zFS data sets prefixed with user IDs you need to be >very careful how you mount them. You probably know that, but others may not. >The real danger with such data sets is that the users can update them >directly, and change the permission bits and other metadata for files, such >that executable files within the zFS will run with UID(0) (superuser) or some >other user's authority, or run APF-authorized or program-controlled. > >To prevent that security exposure you need to ensure that the mount >specifications for all those userid-prefixed zFS data sets specify NOSETUID, >which is not the default. > >-- >Walt Thanks Walt! Great point that I didn't think to mention because I set this up so long ago I forgot about that consideration. I do have that set on the systems / sysplexes that use the user's HLQ. For example: name * type ZFS filesystem <uc_name>.TPLEX.ZFS mode rdwr duration 10 delay 10 setuid no allocuser space(2,1) cyl Best Regards, Mark ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
