> -----Original Message-----
> From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On 
> Behalf Of Jacob Dekel
> Sent: Monday, May 19, 2008 2:06 PM
> To: [email protected]
> Subject: Re: z/Linux access to z/OS DASD
> 
> First, a confession: I am the one who wrote the device driver that
> enables accessing z/OS dasd from z/Linux.
> 
> Regarding the security issues that were raised here: They are 
> valid and
> I agree with what was said. However, *if* you have a z/OS volume
> accessible from z/Linux with or without a driver, then you'd 
> better make
> sure that you are in control of this situation. This was true even
> without such a driver existing because with a few lines of code and
> minutes away that z/OS disk can be cloned. Bottom line - make sure you
> do not put online in z/Linux what does not belong there.

Very true! That is why, back when I had z/Linux, I only allowed direct
access to the DASD by z/VM. All z/Linux data was on a "minidisk" which
started on physical cylinder 1. I know that is not optimal in terms of
doing I/O, but the z/OS sysprog and secadmin in me was comforted by it.

> 
> As for security that the driver itself provides, these are two:
> 1. All data is accessed read-only. There is no way to write to the
> volume because it is accessed read-only, much like a cd or dvd-rom.
> 2. Mounting the disk is controlled just like any other volume mount in
> z/Linux. You can grant read access just to root or to 
> everyone. If your
> z/Linux is on a lower security level - then you should not make the
> volumes available to z/Linux anyway.
> 
> Regards,
> Jacob Dekel
> http://www.mvsdasd.org

--
John McKown
Senior Systems Programmer
HealthMarkets
Keeping the Promise of Affordable Coverage
Administrative Services Group
Information Technology

The information contained in this e-mail message may be privileged
and/or confidential.  It is for intended addressee(s) only.  If you are
not the intended recipient, you are hereby notified that any disclosure,
reproduction, distribution or other use of this communication is
strictly prohibited and could, in certain circumstances, be a criminal
offense.  If you have received this e-mail in error, please notify the
sender by reply and delete this message without copying or disclosing
it.  

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Reply via email to