User identity |
Users are assigned a unique UID,
a 4-byte integer and user name. |
Users are assigned a unique user
ID of 1-to-8 characters. |
Users are assigned a unique user
ID with an associated UID. |
Security identity |
UID |
User ID |
UID for accessing traditional UNIX resources and the user ID for
accessing traditional z/OS resources |
Login ID |
Name used to locate a UID |
Same as the user ID |
Same as the user ID |
Special user |
Multiple user IDs can be assigned
a UID of 0. |
RACF® administrator
assigns necessary authority to users. |
Multiple user IDs can be assigned
a UID of 0 or users can be permitted to BPX.SUPERUSER. |
Data set access |
Superuser can access all files. |
All data sets controlled by RACF profiles. |
Superuser can access all UNIX files; data sets controlled by RACF profiles. |
Identity change from superuser to
regular user |
Superuser can change the UID of a
process to any UID using setuid() or seteuid() functions. |
APF-authorized program can invoke
SAF service to change identity. |
There are two options: - If BPX.DAEMON is not defined, the superuser can change the UID
of a process to any UID using setuid() or seteuid() functions.
- Or, the superuser must be permitted to BPX.DAEMON in order to
change UIDs.
|
Identity change from regular user
to superuser |
The su shell command
allows change if user provides password for the root. Password phrases
are not used in traditional UNIX security. |
No provision for unauthorized user
to change identity. |
The su shell command
allows change if the user is permitted to BPX.SUPERUSER or if the
user provides the password or password phrase of a user with a UID
of 0. |
Identity change of a regular user
from one UID to another UID |
The su shell command
allows change if user provides password. Password phrases are not
used in traditional UNIX security. |
No provision for unauthorized user
to change identity. |
The su shell command
allows change if user provides password or password phrase. |
Terminate user processes |
Superuser can kill any process. |
MVS operator
can cancel any address space. |
Superuser can kill any process. |
Multiple logins |
Users can login to a single user
ID multiple times. |
Users can only log on to TSO/E once
per user ID. |
Users can rlogin multiple times to
a single user ID and logon once to TSO/E at the same time. |
Login daemons |
inetd, rlogind, lm,
and telnetd process user requests for login. A process
is created with the user identity (UID). |
TCAS and VTAM® process user requests for logon. A TSO/E
address space (process) is created with the user identity (user ID). |
Users can log on to TSO/E or login
using one of the login daemons. In all cases, an address space is
created with both an MVS identity
(user ID) and a UID. |