- BPX.CF
Controls
access to the _cpl service.
- BPX.CONSOLE
Allows
a permitted user the ability to use the _console() or _console2()
services.
- BPX.DAEMON
BPX.DAEMON serves two functions
in the
z/OS UNIX environment:
- Any superuser permitted to this profile has the daemon authority
to change MVS™ identities via z/OS UNIX services
without knowing the target user ID's password or password phrase.
This identity change can only occur if the target user ID has an OMVS
segment defined.
If BPX.DAEMON is not defined, then all superusers
(UID=0) have daemon authority. If you want to limit which superusers
have daemon authority, define this profile and permit only selected
superusers to it.
- Any program loaded into an address space that requires daemon
level authority must be defined to program control. If the BPX.DAEMON
FACILITY class profile is defined, then z/OS UNIX will verify
that the address space has not loaded any executables that are uncontrolled
before it allows any of the following services that are controlled
by z/OS UNIX to
succeed:
- seteuid
- setuid
- setreuid
- pthread_security_np()
- auth_check_resource_np()
- _login()
- _spawn() with user ID change
- _passwd()
Daemon
authority is required only when a program does a setuid(), seteuid(),
setreuid(), or spawn() user ID to change the current UID without first
having issued a _passwd() call to the target user ID. In order to
change the MVS identity without
knowing the target user ID's password or password phrase, the caller
of these services must be a superuser. Additionally, if a BPX.DAEMON
FACILITY class profile is defined and the FACILITY class is active,
the caller must be permitted to use this profile. If a program comes
from a controlled library and knows the target UID's password or password
phrase, it can change the UID without having daemon authority.
The RACF WARNING
mode is not supported for BPX.DAEMON.
For more information about
BPX.DAEMON, see Establishing the correct level of security for daemons.
- BPX.DAEMON.HFSCTL
Controls which
users with daemon authority are allowed to load uncontrolled programs
from MVS libraries into their
address space.
Restriction: BPX.DAEMON.HFSCTL
does not allow generic profiles.
- BPX.DEBUG
Users
with READ access to BPX.DEBUG can debug certain types of restricted
processes. These do not include processes that have a PID of 1. To
debug programs that run with APF authority or with BPX.SERVER authority,
they can use dbx to call the ptrace callable service.
- BPX.EXECMVSAPF.program_name
Allows
unauthorized callers of the execmvs callable service to pass an argument
that is greater than 100 characters to an authorized program.
If
the FACILITY class resource exists, then unauthorized callers can
pass arguments greater than 100 characters to the program name that
is specified in the FACILITY class profile. Individual users do
not need to be given access to the profile. If you do not want unauthorized
callers to pass an argument greater than 100 characters to any authorized
programs, do not define any BPX.EXECMVSAPF.program_name profiles.
To
allow certain authorized programs to be called with an argument greater
than 100 characters, define a profile for each program:
BPX.EXECMVSAPF.YOURPGM
BPX.EXECMVSAPF.MYPGM
To allow a group of commonly
named authorized programs to be called with an argument greater than
100 characters, define a profile that allows for pattern matching.
For example, if you have a set of related programs that all begin
with the same three characters, MYP, define:
BPX.EXECMVSAPF.MYP*
As
a result, all unauthorized callers can pass an argument greater than
100 characters to any authorized program that begins with the characters
MYP.
To allow all unauthorized users the ability to pass any
argument up to 4096 characters long to any authorized program, then
define one profile:
BPX.EXECMVSAPF.*
However, IBM® does not recommend defining
this type of profile.
- BPX.FILEATTR.APF
Controls
which users are allowed to set the APF-authorized
attribute in a z/OS® UNIX file. This authority allows
the user to create a program that will run APF-authorized. This is
similar to the authority of allowing a programmer to update SYS1.LINKLIB
or SYS1.LPALIB.
- BPX.FILEATTR.PROGCTL
Controls
which users are allowed to set the program control attribute. Programs
marked with this attribute can execute in server address spaces that
run with a high level of authority. See Defining programs in UNIX files to program control for
more information.
- BPX.FILEATTR.SHARELIB
Indicates
that extra privilege is required when setting the shared library extended
attribute via the chattr() callable service. This prevents the shared
library region from being misused. See Defining UNIX files as shared library programs for
more information.
- BPX.JOBNAME
Controls
which users are allowed to set their own job names by using the _BPX_JOBNAME
environment variable or the inheritance structure on spawn. Users
with READ or higher permissions to this profile can define their own
job names.
- BPX.MAINCHECK
Extends
the enhanced program security protection to your UNIX daemons and servers that do not make use
of RACF execute-controlled
programs. For more information, see RACF with enhanced program security, BPX.DAEMON, and BPX.MAINCHECK and RACF with enhanced program security, BPX.SERVER, and BPX.MAINCHECK.
Restriction: BPX.MAINCHECK
does not allow generic profiles.
- BPX.MAP
Controls
access to the _map and _map_init services.
- BPX.NEXT.USER
Enables
automatic assignment of UIDs and GIDs. The APPLDATA field of this
profile specifies a starting value, or range of values, from which RACF will derive unused UID and
GID values. z/OS Security Server RACF Security Administrator's Guidehas
more information about BPX.NEXT.USER.
- BPX.POE
Controls
access to the _poe service.
- BPX.SAFFASTPATH
Enables
faster security checks for file system and IPC constructs. For more
information, see Fastpath support for System Authorization Facility (SAF).
Restriction: BPX.SAFFASTPATH
does not allow generic profiles.
- BPX.SERVER
Restricts
the use of the pthread_security_np() service. A user with at least
READ or WRITE access to the BPX.SERVER FACILITY class profile can
use this service. It creates or deletes the security environment for
the caller's thread.
This
profile is also used to restrict the use of the BPX1ACK service, which
determines access authority to z/OS resources
Servers
with authority to BPX.SERVER must run in a clean program-controlled
environment.
z/OS UNIX will
verify that the address space has not loaded any executables that
are uncontrolled before it allows any of the following services that
are controlled by
z/OS UNIX to
succeed:
- seteuid
- setuid
- setreuid
- pthread_security_np()
- auth_check_resource_np()
- _login()
- _spawn() with user ID change
- _passwd()
For more information about BPX.SERVER, see Preparing security for servers and Establishing the correct level of security for daemons.
- BPX.SMF
Checks
if the caller attempting to cut an SMF record is allowed to write
an SMF record. It also tests if an SMF type or subtype is being recorded.
- BPX.SHUTDOWN
Controls
access to the oe_env_np service to register and block for OMVS shutdown.
- BPX.SRV.userid
Allows
users to change their UID if they have access to BPX.SRV.userid,
where uuuuuuuu is the MVS user
ID associated with the target UID. BPX.SRV.userid is
a RACF SURROGAT class profile.
- BPX.STOR.SWAP
Controls
which users can make address spaces nonswappable. Users permitted
with at least READ access to BPX.STOR.SWAP can invoke the __mlockall()
callable service to make their address space either nonswappable or
swappable.
When
an application makes an address space nonswappable, it might cause
additional real storage in the system to be converted to preferred
storage. Because preferred storage cannot be configured offline, using
this service can reduce the installation's ability to reconfigure
storage in the future. Any application using this service should warn
the customer about this side effect in their installation documentation.
- BPX.SUPERUSER
Allows
users to switch to superuser authority. For more information about
BPX.SUPERUSER, see Superusers in z/OS UNIX.
- BPX.UNLIMITED.OUTPUT
Allows
users to use the _BPX_UNLIMITED_OUTPUT environment variable to override
the default spooled output limits for processes.
- BPX.WLMSERVER
Controls access
to the WLM server functions _server_init() and
_server_pwu(). It also controls access to these C language WLM interfaces:
- QuerySchEnv()
- CheckSchEnv()
- DisconnectServer()
- DeleteWorkUnit()
- JoinWorkUnit()
- LeaveWorkUnit()
- ConnectWorkMgr()
- CreateWorkUnit()
- ContinueWorkUnit()
A server application with read permission to this FACILITY class
profile can use both the server functions and the WLM C language functions
to create and manage work requests.