z/OS UNIX System Services Planning
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Security requirements for ServerPac and CBPDO installation

z/OS UNIX System Services Planning
GA32-0884-00

Before you can do the ServerPac or CBPDO installation, or install maintenance, you need to satisfy certain security requirements.
  1. The user ID must be UID=0 or permitted to the BPX.SUPERUSER resource in the FACILITY class, and be connected to a group that has a GID.
  2. The user ID must be permitted READ access to the BPX.FILEATTR.SHARELIB, BPX.FILEATTR.APF and BPX.FILEATTR.PROGCTL resources in the FACILITY class (or BPX.FILEATTR.* if you choose to use a generic name for both resources). These commands are also provided in SYS1.SAMPLIB(BPXISEC1).
    To define BPX.FILEATTR.SHARELIB, BPX.FILEATTR.APF and BPX.FILEATTR.PROGCTL, issue:
    RDEFINE FACILITY BPX.FILEATTR.SHARELIB UACC(NONE)
RDEFINE FACILITY BPX.FILEATTR.APF UACC(NONE)
RDEFINE FACILITY BPX.FILEATTR.PROGCTL UACC(NONE)
SETROPTS CLASSACT(FACILITY)
SETROPTS RACLIST(FACILITY)
    These commands are also provided in SYS1.SAMPLIB.
    PERMIT BPX.FILEATTR.SHARELIB CLASS(FACILITY) ID(your_userid) ACCESS(READ) 
PERMIT BPX.FILEATTR.APF CLASS(FACILITY) ID(your_userid) ACCESS(READ)
PERMIT BPX.FILEATTR.PROGCTL CLASS(FACILITY) ID(your_userid) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
    Or, if you choose to use a generic facility:
    SETROPTS GENERIC(FACILITY)
RDEFINE FACILITY BPX.FILEATTR.* UACC(NONE)
SETROPTS CLASSACT(FACILITY)
SETROPTS RACLIST(FACILITY)
    PERMIT BPX.FILEATTR.* CLASS(FACILITY) ID(your_userid) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
  3. Define the following user ID and group IDs in your security data base. Even though they are lowercase in the example, these names should be defined in uppercase for ease of use and manageability.
    • Group IDs
      • uucpg
      • TTY
    • User IDs
      • uucp
    Note these rules:
    1. The GID and UID values assigned to these IDs cannot be used by any other IDs. They must be unique. If you assign the same GID to multiple groups, control at an individual group level is lost, because the GID is used in z/OS UNIX security checks. Because RACF® groups that have the same GID assignment are treated as a single group during the z/OS UNIX security checks, the sharing of resources between groups might happen unintentionally. Likewise, the sharing of UIDs allows each user access to all of the resources associated with the other users of that shared UID. The shared access includes not only z/OS UNIX resources such as files, but also includes the possibility that one user could access UNIX resources of the other user that are normally considered to be outside the scope of z/OS UNIX.
    2. You must duplicate the required user ID and group names in each security database, including the same UID and GID values in the OMVS segment. Duplicating the IDs simplifies the process of transporting the HFS data sets from test systems to production systems. For example, the group name TTY on System 1 must have the same GID value on System 2 and System 3. If you cannot synchronize your databases, you will need to continue running the FOMISCHO job against each system after z/OS UNIX is installed.

The following topics describe how to define these IDs to RACF. (If you are using an equivalent security product, refer to that product's documentation.) All the RACF commands are issued by a user ID with RACF SPECIAL authority. Three procedures are described:
Parent topic: Establishing UNIX security

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014