If the BPX.DAEMON resource in the FACILITY class is defined, your system has z/OS® UNIX security. Your system can exercise more control over your superusers.

This level of security is for customers with stricter security requirements who need to have some superusers maintaining the file system but want to have greater control over the z/OS resources that these users can access. Although BPX.DAEMON provides some additional control over the capabilities of a superuser, a superuser should still be regarded as a privileged user because of the full range of privileges the superuser is granted.

The additional control that BPX.DAEMON provides involves the use of kernel services such as setuid() that change a caller's z/OS user identity. Any user can issue a setuid() which follows a successful __passwd() call to the same target user ID. However, a user with daemon authority can issue setuid() without knowing the target user's password or password phrase. With BPX.DAEMON defined, a superuser process can run these types of change services and identity if the following statements are true:
  • The caller's user identity was permitted to BPX.DAEMON.
  • All programs running in the address space have been loaded from a library that is controlled by a security product. A library that is identified to RACF® program control is an example. You can identify individual files as controlled programs. For more information, Customizing the system for IBM-supplied daemons.

    Programs that were loaded from MVS™ libraries do not need to be controlled programs if BPX.DAEMON.HFSCTL has been set up. Only UNIX files are checked for program control. For information about setting up BPX.DAEMON.HFSCTL, see Checking UNIX files for program control.

Kernel services that change a caller's z/OS user identity require the target z/OS user identity to have an OMVS segment defined. If you want to maintain this extra level of control at your installation, you must choose which daemons to permit to BPX.DAEMON. You will also have to choose the users to whom you give the OMVS security profile segments. To accomplish this, see Steps for preparing the security program for daemons.

The RACF WARN mode is not supported for BPX.DAEMON.