Setting up the UNIX-related FACILITY and SURROGAT class profiles

You can control who can use certain UNIX functions when you define RACF® profiles with UACC(NONE) to protect the appropriate resources in the FACILITY and SURROGAT classes. The resources that are related to UNIX functions start with the prefix BPX. Generally, authorized users need at least READ access to the FACILITY resources in order to use the UNIX function.

Do not define the generic profile BPX.* or unintended security-related behavior might occur. If BPX.* is defined, then the OMVS address space identity must be permitted to it and BPXOINIT must have a different user identity than OMVS. Following these guidelines will prevent unintended security-related behavior from occurring on your system.

To activate RACF control of UNIX functions, use the RACF SETROPTS CLASSACT FACILITY command. Permit your authorized users to the appropriate resources before you activate the FACILITY class or else users will not be able to use protected UNIX functions.

Because TRUSTED users are not permitted to the BPX.SERVER or the BPX.DAEMON profiles by default, they do not have any authorities that are associated with having access to these two profiles.

Defining class profiles for security reasons

For security reasons, you might need to define these class profiles. All of the following are FACILITY class profiles, except for BPX.SRV, which is a SURROGAT class profile.
Table 1. Defining class profiles for security reasons
FACILITY class profile Description
BPX.CF Controls access to the _cpl service.
BPX.CONSOLE Allows a permitted user the ability to use the _console() or _console2() services.
BPX.DAEMON BPX.DAEMON serves two functions in the z/OS UNIX environment:
  • Any superuser that is permitted to this profile has the daemon authority to change MVS™ identities via z/OS UNIX services without knowing the target user ID's password or password phrase. This identity change can only occur if the target user ID has a defined OMVS segment.

    If BPX.DAEMON is not defined, then all superusers (UID=0) have daemon authority. If you want to limit which superusers have daemon authority, define this profile and permit only selected superusers to it.

  • Any program that is loaded into an address space that requires daemon level authority must be defined to program control. If the BPX.DAEMON FACILITY class profile is defined, then z/OS UNIX will verify that the address space has not loaded any executables that are uncontrolled before it allows any of the following services that are controlled by z/OS UNIX to succeed:
    • seteuid
    • setuid
    • setreuid
    • pthread_security_np()
    • auth_check_resource_np()
    • _login()
    • _spawn() with user ID change
    • _passwd()

Daemon authority is required only when a program does a setuid(), seteuid(), setreuid(), or spawn() user ID to change the current UID without first having issued a _passwd() call to the target user ID. In order to change the MVS identity without knowing the target user ID's password or password phrase, the caller of these services must be a superuser. Additionally, if a BPX.DAEMON FACILITY class profile is defined and the FACILITY class is active, the caller must be permitted to use this profile. If a program comes from a controlled library and knows the target UID's password or password phrase, it can change the UID without having daemon authority.

The RACF WARNING mode is not supported for BPX.DAEMON.

For more information about BPX.DAEMON, see Establishing the correct level of security for daemons.
BPX.DAEMON.HFSCTL Controls which users with daemon authority are allowed to load uncontrolled programs from MVS libraries into their address space.
Restriction: BPX.DAEMON.HFSCTL does not allow generic profiles.
BPX.DEBUG Users with READ access to BPX.DEBUG can debug certain types of restricted processes. These do not include processes that have a PID of 1. To debug programs that run with APF authority or with BPX.SERVER authority, they can use dbx to call the ptrace callable service.
BPX.EXECMVSAPF.program_name Allows unauthorized callers of the execmvs callable service to pass an argument that is greater than 100 characters to an authorized program.

If the FACILITY class resource exists, then unauthorized callers can pass arguments greater than 100 characters to the program name that is specified in the FACILITY class profile. Individual users do not need to be given access to the profile. If you do not want unauthorized callers to pass an argument greater than 100 characters to any authorized programs, do not define any BPX.EXECMVSAPF.program_name profiles.

To allow certain authorized programs to be called with an argument greater than 100 characters, define a profile for each program: 
BPX.EXECMVSAPF.YOURPGM
BPX.EXECMVSAPF.MYPGM
To allow a group of commonly named authorized programs to be called with an argument greater than 100 characters, define a profile that allows for pattern matching. For example, if you have a set of related programs that all begin with the same three characters, MYP, define: 
BPX.EXECMVSAPF.MYP*
As a result, all unauthorized callers can pass an argument greater than 100 characters to any authorized program that begins with the characters MYP.
To allow all unauthorized users the ability to pass any argument up to 4096 characters long to any authorized program, then define one profile:
BPX.EXECMVSAPF.*
However, IBM does not recommend defining this type of profile.
BPX.FILEATTR.APF Controls which users are allowed to set the APF-authorized attribute in a z/OS® UNIX file. This authority allows the user to create a program that will run APF-authorized. This is similar to the authority of allowing a programmer to update SYS1.LINKLIB or SYS1.LPALIB.
BPX.FILEATTR.PROGCTL Controls which users are allowed to set the program control attribute. Programs marked with this attribute can execute in server address spaces that run with a high level of authority. See Defining programs in UNIX files to program control for more information.
BPX.FILEATTR.SHARELIB Indicates that extra privilege is required when setting the shared library extended attribute via the chattr() callable service. This setting prevents the shared library region from being misused. See Defining UNIX files as shared library programs for more information.
BPX.JOBNAME Controls which users are allowed to set their own job names by using the _BPX_JOBNAME environment variable or the inheritance structure on spawn. Users with READ or higher permissions to this profile can define their own job names.
BPX.MAINCHECK Extends the enhanced program security protection to your UNIX daemons and servers that do not use RACF execute-controlled programs. For more information, see RACF with enhanced program security, BPX.DAEMON, and BPX.MAINCHECK and RACF with enhanced program security, BPX.SERVER, and BPX.MAINCHECK.
Restriction: BPX.MAINCHECK does not allow generic profiles.
BPX.MAP Controls access to the _map and _map_init services.
BPX.NEXT.USER Enables automatic assignment of UIDs and GIDs. The APPLDATA field of this profile specifies a starting value, or range of values, from which RACF will derive unused UID and GID values. For more information about BPX.NEXT.USER, see BPX.NEXT.USER in z/OS Security Server RACF Security Administrator's Guide.
BPX.POE Controls access to the _poe service.
BPX.SAFFASTPATH Enables faster security checks for file system and IPC constructs. For more information, see Fastpath support for System Authorization Facility (SAF).
Restriction: BPX.SAFFASTPATH does not allow generic profiles.
BPX.SERVER Restricts the use of the pthread_security_np() service. A user with at least READ or WRITE access to the BPX.SERVER FACILITY class profile can use this service. It creates or deletes the security environment for the caller's thread.

This profile is also used to restrict the use of the BPX1ACK service, which determines access authority to z/OS resources

Servers with authority to BPX.SERVER must run in a clean program-controlled environment. z/OS UNIX will verify that the address space has not loaded any executables that are uncontrolled before it allows any of the following services that are controlled by z/OS UNIX to succeed:
  • seteuid
  • setuid
  • setreuid
  • pthread_security_np()
  • auth_check_resource_np()
  • _login()
  • _spawn() with user ID change
  • _passwd()

For more information about BPX.SERVER, see Preparing security for servers and Establishing the correct level of security for daemons.
BPX.SMF or BPX.SMF.type.subtype Grants a permitted user access to write an SMF record or to test if an SMF type or subtype is being recorded.
  • The BPX.SMF profile grants the permitted user the authority to write or test for any SMF record that is being recorded. The program-controlled attribute is not required if BPX.SMF is used.
  • For more granular access to writing SMF records, BPX.SMF.type.subtype grants a permitted user the authority to write or test only the SMF record of the specific type and subtype contained in the FACILITY class profile name. The BPX.SMF.type.subtype FACILITY class profile requires a clean program-controlled environment.

    The smf_record syscall verifies that the address space has not loaded any executables that are uncontrolled and any future loads or execs to files that reside in uncontrolled libraries are prevented. Note that type and subtype in the FACILITY class name do not have leading zeros.

    Some examples are as follows:
    • BPX.SMF.7.0
    • BPX.SMF.119.94
    • BPX.SMF.0.0
BPX.SHUTDOWN Controls access to the oe_env_np service to register and block for OMVS shutdown.
BPX.SRV.userid

Allows users to change their UID if they have access to BPX.SRV.userid, where userid is the MVS user ID associated with the target UID. BPX.SRV.userid is a RACF SURROGAT class profile.
BPX.STOR.SWAP Controls which users can make address spaces nonswappable. Users who are permitted with at least READ access to BPX.STOR.SWAP can invoke the __mlockall() callable service to make their address space either nonswappable or swappable.

When an application makes an address space nonswappable, it might cause additional real storage in the system to be converted to preferred storage. Because preferred storage cannot be configured offline, using this service can reduce the installation's ability to reconfigure storage in the future. Any application that uses this service should warn the customer about this side effect in their installation documentation.
BPX.STICKYSUG.program_name Enables the exec and spawn services to use the MVS program search order to locate the program to be run when the specified path name resolves to a file with the sticky attribute and either the set-user-id or set-group-id attributes.

If a FACILITY class resource exists, then the MVS program search order can be used in locating the program name that is specified in the FACILITY class profile. Individual users do not need to be given access to the profile.

For examples of using this class profile, see Examples of BPX.STICKYSUG.program_name.
BPX.SUPERUSER Allows users to switch to superuser authority. For more information about BPX.SUPERUSER, see Superusers in z/OS UNIX.
BPX.UNLIMITED.OUTPUT Allows users to use the _BPX_UNLIMITED_OUTPUT environment variable to override the default spooled output limits for processes.
BPX.WLMSERVER Controls access to the WLM server functions _server_init() and _server_pwu(). It also controls access to these C language WLM interfaces:
  • QuerySchEnv()
  • CheckSchEnv()
  • DisconnectServer()
  • DeleteWorkUnit()
  • JoinWorkUnit()
  • LeaveWorkUnit()
  • ConnectWorkMgr()
  • CreateWorkUnit()
  • ContinueWorkUnit()

A server application with read permission to this FACILITY class profile can use both the server functions and the WLM C language functions to create and manage work requests.

Examples of BPX.STICKYSUG.program_name

  1. If you do not want the exec and spawn services to use the MVS program search order to locate programs, do not define any BPX.STICKYSUG.program_name profiles.
  2. If you want the exec and spawn services to use the MVS program search order for certain programs, then define a profile for each program:
    BPX.STICKYSUG.YOURPGM 
BPX.STICKYSUG.MYPGM
  3. If you want the exec and spawn services to use the MVS program search order for a group of commonly named programs, then define a generic profile: 
    BPX.STICKYSUG.MYP*
    The exec and spawn will use the MVS program search order for any programs that begin with the characters MYP.
  4. If you want the exec and spawn services to always use the MVS program search order, then define one profile: 
    BPX.STICKYSUG.*
    However, IBM does not recommend defining this type of profile.

Permissions for undefined FACILITY class profiles

Table 2 shows whether the caller is permitted to use the services with the indicated profile if that profile is defined and if the caller's user ID is permitted to the specified RACF FACILITY class profile.
  • YES indicates that the caller is permitted to use the services that are associated with the profile.
  • NO indicates that the caller is not permitted to use the services that are associated with the profile.
For example, if BPX.DAEMON is not defined and the caller has a nonzero UID, then that caller would not be permitted to use setuid.
Table 2. Permissions for undefined FACILITY class profiles
Undefined FACILITY class profile If UID(0) If not UID(0)
BPX.CF No No
BPX.CONSOLE. It controls access to authorized features of the _console() service and not used to control which users can use the base _console() service. Yes No
BPX.DAEMON Yes No
BPX.DAEMON.HFSCTL No No
BPX.DEBUG No No
BPX.EXECMVSAPF.program_name No No
BPX.FILEATTR.APF No No
BPX.FILEATTR.PROGCTL No No
BPX.FILEATTR.SHARELIB No No
BPX.JOBNAME Yes No
BPX.MAINCHECK No No
BPX.MAP Yes No
BPX.NEXT.USER, which is used by RACF to assign UIDs and GIDs when creating or altering a user ID's OMVS segment and is not processed directly by z/OS UNIX. Not applicable Not applicable
BPX.UNLIMITED.OUTPUT Yes No
BPX.POE Yes No
BPX.SAFFASTPATH No No
BPX.SERVER Yes No
BPX.SHUTDOWN Yes No
BPX.SMF or BPX.SMF.type.subtype No No
BPX.SRV.userid. Its profiles are defined in the RACF SURROGAT class. No No
BPX.STOR.SWAP Yes No
BPX.STICKYSUG.program_name No No
BPX.SUPERUSER No No
BPX.WLMSERVER Yes No

Permissions for defined FACILITY class profiles if user ID is not permitted

Table 3 shows whether the caller is permitted to use the services with the indicated profile if that profile is defined and the caller's user ID is not permitted to the specified RACF FACILITY class profile.
  • YES indicates that the caller is permitted to use the services that are associated with the profile.
  • NO indicates that the caller is not permitted to use the services that are associated with the profile.
Table 3. Permissions for defined FACILITY class profiles if user ID is not permitted
Defined FACILITY class profile and caller is not permitted If UID(0) If not UID(0)
BPX.CF No No
BPX.CONSOLE. It controls access to authorized features of the _console() service and not used to control which users can use the base _console() service. Yes No
BPX.DAEMON No No
BPX.DAEMON.HFSCTL No No
BPX.DEBUG No No
BPX.EXECMVSAPF.program_name Yes Yes
BPX.FILEATTR.APF No No
BPX.FILEATTR.PROGCTL No No
BPX.FILEATTR.SHARELIB No No
BPX.JOBNAME Yes No
BPX.MAINCHECK Yes Yes
BPX.MAP No No
BPX.NEXT.USER, which is used by RACF to assign UIDs and GIDs when creating or altering a user ID's OMVS segment and is not processed directly by z/OS UNIX. Not applicable Not applicable
BPX.UNLIMITED.OUTPUT Yes No
BPX.POE No No
BPX.SAFFASTPATH No No
BPX.SERVER No No
BPX.SHUTDOWN No No
BPX.SMF or BPX.SMF.type.subtype No No
BPX.SRV.userid. Its profiles are defined in the RACF SURROGAT class. No No
BPX.STOR.SWAP No No
BPX.STICKYSUG.program_name Yes Yes
BPX.SUPERUSER No No
BPX.WLMSERVER No No

Permission for defined FACILITY class profiles if user ID is permitted

Table 4 shows whether the caller is permitted to use the services with the indicated profile if that profile is defined and the caller's user ID is permitted to the specified RACF FACILITY class profile.
  • YES indicates that the caller is permitted to use the services associated with the profile.
  • NO indicates that the caller is not permitted to use the services that are associated with the profile.
Table 4. Permissions for defined FACILITY class profiles if user ID is permitted
Defined FACILITY class profile and caller is permitted If UID(0) If not UID(0)
BPX.CF Yes Yes
BPX.CONSOLE. It controls access to authorized features of the _console() service and not used to control which users can use the base _console() service. Yes Yes
BPX.DAEMON Yes No
BPX.DAEMON.HFSCTL Yes Yes
BPX.DEBUG Yes Yes
BPX.EXECMVSAPF.program_name Yes Yes
BPX.FILEATTR.APF Yes Yes
BPX.FILEATTR.PROGCTL Yes Yes
BPX.FILEATTR.SHARELIB Yes Yes
BPX.JOBNAME Yes Yes
BPX.MAINCHECK Yes Yes
BPX.MAP Yes Yes
BPX.NEXT.USER, which is used by RACF to assign UIDs and GIDs when creating or altering a user ID's OMVS segment and is not processed directly by z/OS UNIX. Not applicable Not applicable
BPX.UNLIMITED.OUTPUT Yes Yes
BPX.POE Yes Yes
BPX.SAFFASTPATH Yes Yes
BPX.SERVER Yes Yes
BPX.SHUTDOWN Yes Yes
BPX.SMF or BPX.SMF.type.subtype Yes Yes
BPX.SRV.userid. Its profiles are defined in the RACF SURROGAT class. Yes Yes
BPX.STOR.SWAP Yes Yes
BPX.STICKYSUG.program_name Yes Yes
BPX.SUPERUSER Yes Yes
BPX.WLMSERVER Yes Yes