Program control
There are additional security concerns when you are loading programs that are considered trusted into the z/OS® UNIX file system. Program control facilities in RACF® and z/OS UNIX provide a mechanism for ensuring that the z/OS UNIX program loading process has the same security features that APF authorization provides in the native MVS™ environment.
It is recommended that you enable program control in your installation. If you define the BPX.DAEMON FACILITY class profile, you must enable program control for certain z/OS Communications Server load libraries. Review the information on program control in z/OS UNIX System Services Planning to decide whether program control is appropriate for your installation.
To enable program control, follow the tasks in Table 1.
Task | Details |
---|---|
Activate program control. | Use the following command:
|
Set the universal access for public library data sets (those in LINKLSTxx) to READ. This allows access to the controlled programs and any other program in those libraries. (MVS opens the LNKLSTxx libraries during IPL and makes these programs public. However, users cannot make changes.) | Use the following commands to create RACF data set profiles:
|
Ensure all load modules that are loaded by the BPX.DAEMON servers into an address space come from controlled libraries. | If the MVS contents supervisor loads a module from a noncontrolled
library, the address space becomes dirty and loses its
authorization. To prevent this from happening, define all the libraries
from which load modules can be loaded as program controlled. At a
minimum, this should include the C run-time library, the TCP/IP Services
SEZALOAD and SEZATCP libraries, SYS1.LINKLIB, and any load libraries
containing FTP security exits. Use the following commands:
Note: If you define the load libraries
as controlled, do not specify a universal access of NONE for the PROGRAM
resources. If you do so for your SYS1.LINKLIB programs, you cannot
IPL your z/OS system. Be aware
also that in z/OS, the volser specification is optional.
|
Activate RACF changes. | Use the following command:
|