z/OS Network File System Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Setting up the z/OS NFS authorization

z/OS Network File System Guide and Reference
SC23-6883-00

The following security measures should be addressed when you install the z/OS NFS server and client:
  • All programs that come with the z/OS NFS server and client must reside in an APF-authorized program library.
  • You need to define the z/OS NFS server and client to resource access control facility (RACF) and assign the necessary level of authority. You do this by defining a RACF user ID with an OMVS segment for the z/OS NFS server and client. Because the z/OS NFS server and client are run as started tasks, you also need to define an entry in the RACF-started procedures table which associates the z/OS NFS server and client startup procedure names with the previously defined user IDs. For more information about coding and replacing the RACF-started procedure table, see z/OS Security Server RACF Security Administrator's Guide and z/OS Security Server RACF System Programmer's Guide.
    The z/OS NFS server can now be set up with the trusted attribute as follows: 
      ADDUSER mvsnfs OMVS(UID(1000))
  SETROPTS GENERIC(STARTED)    (If not already active)
  SETROPTS CLASSACT(STARTED)   (If not already active)
  RDEFINE STARTED mvsnfs.* STDATA(USER(mvsnfs) GROUP(sys1) TRUSTED(YES)) OWNER(mvsnfs)
  SETROPTS RACLIST(STARTED) REFRESH
    Note: The UID of 1000 is chosen for illustrative purposes only and can be specified as any non-0 valid UID value.
    The z/OS NFS client can now be set up with the trusted attribute as follows: 
      ADDUSER mvsnfsc OMVS(UID(0))
  SETROPTS GENERIC(STARTED)   (If not already active)
  SETROPTS CLASSACT(STARTED)  (If not already active)
  RDEFINE STARTED mvsnfs.* STDATA(USER(mvsnfsc) GROUP(sys1) TRUSTED(YES)) OWNER(mvsnfsc)

    With trusted authority, the NFS server can perform the following tasks:

    • Reconstruct the mount points (from the active mount handle data set) upon startup
    • Handle mount requests from client prior to user login
    • Handle ls or nfsdir list commands prior to user login
    • Be a trusted user during normal operation

    For more information on using trusted authority, see z/OS MVS Initialization and Tuning Reference. A trusted started procedure or address space is treated as a z/OS UNIX superuser if a z/OS UNIX user identifier (UID) is assigned to it in the OMVS segment, even when the assigned UID is not 0.

    During actual remote client file access, the z/OS NFS server first RACROUTEs the remote client's user ID to determine if the remote client is authorized to access the file system. If the remote client is authorized, the z/OS NFS server switches to its own user ID, which has trusted authority, to access the file system.

  • You need to define a z/OS UNIX segment for the z/OS NFS client in the RACF user profile. The z/OS NFS client does not require UID 0 authority to operate.
  • You can set up the z/OS NFS client with the trusted attribute in the same way as the z/OS NFS Server.
For TCP/IP security information, see z/OS Communications Server: IP Configuration Guide.

For z/OS UNIX security information, see z/OS UNIX System Services Planning.

Parent topic: Protecting your programs and files

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014