Protecting commands using file system security
Complete the following steps to enable file system security command protection:
- Set system generation option OPSEC to ON.
- Enter ZSYSG DISPLAY cp0gen3 to
display the current state of the OPSEC tag. If the OPSEC option is
set to OFF, complete the following steps:
- Enter ZSYSG ALTER opsec to set OPSEC to ON.
- Enter ZRIPL to perform a software IPL on the z/TPF system.
Note: To set OPSEC to OFF, complete the following steps:- Enter ZSYSG ALTER noopsec
- Enter ZRIPL to perform a software IPL on the z/TPF system.
- Enter ZSYSG DISPLAY cp0gen3 to
display the current state of the OPSEC tag. If the OPSEC option is
set to OFF, complete the following steps:
- Create the command protection table in i_prot.h:
- Edit the
base/filesys/include/i_prot.hfile to create the table. Each entry in the table must have the format {command, subcommand, mode, user, group, actiontype}, where- command
- specifies the 4-character command name (omit the Z action character).
- subcommand
- specifies the command parameter. You must specify the subcommand using the parameter abbreviation, or the minimum required characters to issue the command. If there is no command parameter, or if you want to protect the command and all parameters, enter NO_ENTRY in this field and SINGLEENTRY in the actiontype field.
- mode
- specifies the permission level required to issue the command.
- user
- specifies the user allowed to issue the command.
- group
- specifies the group allowed to issue the command.
- actiontype
- specifies whether the command has a single entry in the command protection tree or if it is a part of a group of entries.
- To protect a command with no parameters or to protect a command
and all parameters, specify NO_ENTRY in the subcommand field
and SINGLEENTRY in the actiontype field. The following
example shows an entry for the ZDCOR command:
{"dcor", NO_ENTRY, 0755, "root", "bin", SINGLEENTRY}, - To protect a specific command and parameter, do the following:
- Create a main entry for the command, specifying NO_ENTRY in the subcommand field and GROUPENTRY in the actiontype field.
- Create a secondary entry for the command parameter. Specify the
name of the command in the command field, the parameter
abbreviation in the subcommand field, and GROUPENTRY
in the actiontype field. The following example
shows an entry for the ZINET command with the di parameter specified.
{"inet", NO_ENTRY, 0751, "root", "bin", GROUPENTRY}, {"inet", "di", 0755, "root", "bin", GROUPENTRY},
- Edit the
- Compile, build, and load CFVQ.mak
- Enter ZFILE prot -R to build the
directory tree using the table that you created. The following example shows a sample protection
table:
{"dcor", NO_ENTRY, 0755, "root", "bin", SINGLEENTRY}, {"inet", NO_ENTRY, 0751, "root", "bin", GROUPENTRY}, {"inet", "di", 0755, "root", "bin", GROUPENTRY}, /*****************************************************/ /* DO NOT REMOVE THE FOLLOWING LAST ENTRY!!!! THANKS */ /*****************************************************/ {NO_ENTRY, NO_ENTRY, 0, NO_ENTRY, NO_ENTRY, 0}, };
You can also use the ZFILE prot command to add, modify, or delete entries in the command protection directory tree.
Related information:
- See the ZDCOR, ZFILE prot, ZRIPL, ZSYSG ALTER, and ZSYSG DISPLAY commands in z/TPF Operations.