On Fri, 21 Aug 2015 10:18:03 -0500, Paul Gilmartin <[email protected]> wrote:
>On Fri, 21 Aug 2015 09:33:00 -0500, Mark Zelden wrote: > >>On Fri, 21 Aug 2015 08:56:31 -0500, Walt Farrell wrote: >>> >>>To prevent that security exposure you need to ensure that the mount >>>specifications for all those userid-prefixed zFS data sets specify NOSETUID, >>>which is not the default. >> >>Thanks Walt! Great point that I didn't think to mention because I set this >>up so long >>ago I forgot about that consideration. I do have that set on the systems / >>sysplexes >>that use the user's HLQ. For example: >> >>name * >>type ZFS >>filesystem <uc_name>.TPLEX.ZFS >>mode rdwr >>duration 10 >>delay 10 >>setuid no >>allocuser space(2,1) cyl >> >Beware also of "uc_name", which allows a nuisance (perhaps inadvertent) >DoS attack. Prevent this with either "charcase lower" or "charcase upper" >(or "asis_name"), at the cost of losing some flexibility in naming. > >(Would asis_name with DISABLE(DSNCHECK) also work?) > Can you please expound on that and provide an example of how this can be used to DoS my systems? BTW, I've seen this in many IBM examples, manuals, presentations etc. Regards, Mark -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS ITIL v3 Foundation Certified mailto:[email protected] Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://search390.techtarget.com/ateExperts/ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
