Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
When to use MAIN or BASIC z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
When considering whether to define a controlled program as a MAIN
program, you should choose one for the following:
Alternatively, if you have a need to use PADS or execute-controlled programs under TSO, but not through TSOEXEC or IKJEFTSR, you can define your trusted initial program as a BASIC program. Using BASIC programs provides less security against malicious users than using MAIN programs, but is required if you decide to use PADS or execute-controlled programs in TSO without using TSOEXEC or IKJEFTSR. For example:
Note: If a user runs an APF-authorized program in TSO, and you have
identified that program to TSO/E (through member IKJTSOxx of your
system parameter library) as one that should run with APF authority,
TSO/E automatically uses the IKJEFTSR service to run the program,
and you can define it as MAIN, rather than BASIC.
Effectively, when defining programs, you can indicate several levels of trust in the way that programs operate, based on the attributes you choose. You could define a program using the PADCHK operand, indicating that the program must have an entry in a data set's conditional access list before PADS is allowed with that program in storage. The program is still a controlled program but is not as trusted as a program defined with NOPADCHK. NOPADCHK indicates to RACF that you trust the program not to try to access a data set inappropriately when some other concurrently executing program opens a data set using PADS. Beyond PADCHK and NOPADCHK, you can identify a program as MAIN, BASIC, or neither. You identify most programs as neither MAIN nor BASIC, by specifying PROGRAM *, PROGRAM **, or another PROGRAM profile with a name that ends with an asterisk (*). Again, these programs are controlled, but it is possible that not enough is known about the way they operate to mark them as trusted (which initiates an environment in which PADS or execute-controlled programs are used). Guidelines:
If you have chosen to enable this stronger security for UNIX servers and daemons by defining FACILITY profile BPX.MAINCHECK (refer to z/OS UNIX System Services Planning for details), you must define some UNIX programs as MAIN, and possibly copy them from the UNIX file system into a standard MVS™ load library. |
Copyright IBM Corporation 1990, 2014
|