z/OS Network File System Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


SAF checking with checklist processing

z/OS Network File System Guide and Reference
SC23-6883-00

When you specify security(saf) or security(safexp) with the checklist attribute, the NFS server performs SAF as described in SAF and exports list checking–security(safexp). The only exception to this is that it will not check the files and directories that are underneath the mount points that either match the mount point or the children of the mount points that are specified in the exports data set using the dirsuf parameter. For more information, see Exports data set.
Table 1. UID, GID, SGID permission checking with security site attribute
Client z/OS Comments
uid gid sgids uid gid sgid
uid_a gid_a sgid_b,... N/A N/A N/A When security(none) or security(exports) is used the z/OS NFS server checks the object owner uid, owner_group gid and its permission bits against the client uid (uid_a), gid (gid_a), and supplemental gids (sgid_b,...) in the RPC AUTH_SYS authentication.
Advantages: Performance may be improved.
Disadvantages:
  1. The RPC AUTH_SYS allows only a maximum of 16 supplemental gids.
  2. Spoofing of client uids, gids, and sgids cannot be prevented.
  3. The object in the underlying physical file system (zFS or HFS) could have extended ACL entries, but the z/OS NFS server does not check
uid_a gid_a sgid_b,.. uid_A gid_A sgid_B,.. When security(saf) or security(safexp) is used the z/OS NFS server defers to the underlying physical file system (zFS or HFS) and RACF to check the object owner uid, owner_group gid, and its permission bits against the mapped Client-z/OS uid (uid_A), gid (gid_A), and supplemental gids (sgid_B,...) from RACF User's Definition
Note:
  1. mvslogin establishes the mapped Client to z/OS uid_A, gid_A, sgid_B,....
  2. The RPC AUTH_SYS authentication (uid_a) is used to find the mapped Client to z/OS segment ( uid_A, gid_A, sgid_B,... ).
Advantages:
  1. The RPC AUTH_SYS limitation of maximum 16 supplemental gids is eliminated because of the mapped Client to z/OS supplemental gids ( sgid_B,... ).
  2. Spoofing of uid/gids/sgids is prevented by mvslogin
  3. Exploits the underlying physical file system ACL support
Disadvantages: Performance may be impaired.
Parent topic: Protecting the file system on z/OS with the Security site attribute

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014