z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Overview of protecting programs

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Program control provides the following functions:
  • Simple controls to restrict the ability to execute specified programs by granting users either READ or NONE access through the PROGRAM class, and (when necessary) READ access to the DATASET profile that protects the load library that contains the program.
  • More complex controls that can prevent users from copying sensitive programs or viewing the contents of such programs by granting the users either EXECUTE or NONE access through the PROGRAM class, or (in some cases) EXECUTE to the DATASET profile that protects the library that contains the program. Programs controlled in this way are referred to as execute-controlled programs.
  • Improved resistance to attacks by malicious users or programs implementing malicious functions (such as Trojan horses) in a z/OS UNIX environment when you define the BPX.DAEMON profile in the FACILITY class and require that the program execution environments for UNIX daemons and servers remain clean.
  • Program access to data sets (PADS) to allow users to have more access to data sets than they would otherwise have while running specified programs that provide restricted access to the data.
  • Program access to SERVAUTH resources to allow access to IP addresses only when executing certain programs.

By defining programs in the PROGRAM class you indicate that you place some amount of trust in their behavior. Although the level of trust can vary, these programs are trusted more than programs created by general users of the system. An environment in which someone has run a program not defined in the PROGRAM class is considered a dirty, unsafe, or uncontrolled environment.

RACF® requires a clean environment in functions 2 through 5 above because allowing use of those functions in an uncontrolled environment would make it relatively simple for malicious users with some specific knowledge to bypass the program-related security controls and gain inappropriate access to the data.

Terms to know:
  1. When used in this discussion, an environment is one of the following:
    • TSO session
    • TSO command invoked by TSOEXEC or the IKJEFTSR service
    • Job step in a batch job, started procedure, or started job
    • UNIX address space
  2. A clean environment is one in which only programs defined in the PROGRAM class have run.
  3. A program refers to a load module residing in a partitioned data set (PDS) or a program object residing in a program library (PDS/E).
Restrictions:
  1. Programs that reside in the UNIX file system are excluded from this discussion. Execution of programs in the UNIX file system is controlled using UNIX security controls (as opposed to RACF PROGRAM profiles), and programs resident in the UNIX file system cannot be used for PADS or program access to SERVAUTH resources.
  2. RACF and z/OS® cannot protect programs written in the TSO/E CLIST language, PERL, Java™, or other interpreted languages.
  3. RACF and z/OS can protect programs written in REXX only if they are compiled and link-edited as load modules or program objects.
In making use of program control, you must decide:
  • Whether to operate in BASIC (default) or ENHANCED (more secure) program security mode.
  • Which programs to define in the PROGRAM class and how to define them (which to some extent depends on the program security mode chosen).
  • How to protect the libraries that contain the programs.

See the Migrating from BASIC to ENHANCED program security mode for migration and other planning considerations.

Parent topic: Protecting programs

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014