Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.
- Create BookmarkCreate Bookmark
- Create Note or TagCreate Note or Tag
- PrintPrint
Chapter 3: Establish security for z/OS UNIXÂ >Â Daemons and security - Pg. 151
@ SC65:/u/user1>pax -vf test.pax -rwx------ 1 STC SYS1 620000 May -rwx------+ 1 STC SYS1 660000 May 3 15:28 /u/user1/test/file1 3 15:29 /u/user1/test/file2 The tar command The tar -U command (with USTAR format) will preserve ACLs in archives as follows: Extracted files will restore ACLs when -A is specified. For verbose output ( tar -v ), a + character is added to the end of the file permission bits for all files with extended ACLs (as for the pax command). The df command The df -v command indicates whether the file system and security product supports ACLs, as shown in Figure 3-54. @ SC63:/>df -v /u/user1/test Mounted on Filesystem Avail/Total Files Status /u/user1 (OMVS.USER1.HFS) 14208/14400 4294967293 Available HFS, Read/Write, Device:241, ACLS=Y File System Owner : SC63 Automove=Y Client=N Filetag : T=off codeset=0 Figure 3-54 Example of df -v command Notes: ACLS=Y does not mean that the FSSEC class profile is active. It means that the file system will store ACLs and pass them to the security product. Using ACLs must be supported by the file system that the file or directory belongs to. It is supported in z/OS V1.3 by zFS and HFS. ACLs are not currently supported for a temporary file system (TFS) in z/OS V1R3. 3.17.4 Using ACLs in a sysplex Using ACLs should be no different on a sysplex client than on a sysplex server system if all the participating systems are running at V1R3 or higher. In a sysplex environment, all participating nodes must be on a release level that has ACL support. If any of the participating nodes are at a release level that does not contain ACL support and you have enabled the FSSEC class on an up-level node, then files that are protected by ACLs will not be accessible on down-level nodes (assuming that the compatibility APAR has been applied) except perhaps by a superuser or file owner. The APAR is OW50655 for SAF and OW49334 for RACF. 3.18 Daemons and security MVS, traditional UNIX, and z/OS UNIX systems manage user identities differently. A daemon is a long-lived process that runs unattended to perform continuous or periodic system-wide functions, such as network control. Some daemons are triggered automatically to perform their task; others operate periodically. Daemons have superuser authority and can issue authorized functions such as setuid(), seteuid(), and spawn() to change the identity of a user's process. Chapter 3. Establish security for z/OS UNIX 151
