Program control

There are additional security concerns when you are loading programs that are considered trusted into the z/OS® UNIX file system. Program control facilities in RACF® and z/OS UNIX provide a mechanism for ensuring that the z/OS UNIX program loading process has the same security features that APF authorization provides in the native MVS™ environment.

It is recommended that you enable program control in your installation. If you define the BPX.DAEMON FACILITY class profile, you must enable program control for certain z/OS Communications Server load libraries. Review the information on program control in z/OS UNIX System Services Planning to decide whether program control is appropriate for your installation.

To enable program control, follow the tasks in Table 1.

Table 1. Program control
Task	Details
Activate program control.	Use the following command: `SETROPTS WHEN(PROGRAM)`
Set the universal access for public library data sets (those in LINKLSTxx) to READ. This allows access to the controlled programs and any other program in those libraries. (MVS opens the LNKLSTxx libraries during IPL and makes these programs public. However, users cannot make changes.)	Use the following commands to create RACF data set profiles: `ADDSD 'cee.version.SCEERUN' UACC(READ) ADDSD 'SYS1.LINKLIB' UACC(READ) ADDSD 'TCPIP.SEZALOAD' UACC(READ) ADDSD 'TCPIP.SEZATCP' UACC(READ)`
Ensure all load modules that are loaded by the BPX.DAEMON servers into an address space come from controlled libraries.	If the MVS contents supervisor loads a module from a noncontrolled library, the address space becomes dirty and loses its authorization. To prevent this from happening, define all the libraries from which load modules can be loaded as program controlled. At a minimum, this should include the C run-time library, the TCP/IP Services SEZALOAD and SEZATCP libraries, SYS1.LINKLIB, and any load libraries containing FTP security exits. Use the following commands: `RDEFINE PROGRAM * ADDMEM('SYS1.LINKLIB'/volser/NOPADCHK) UACC(READ) RALTER PROGRAM * ADDMEM('SYS1.SIEALNKE'/volser/NOPADCHK) RALTER PROGRAM * ADDMEM('cee.version.SCEERUN'/volser/NOPADCHK) RALTER PROGRAM * ADDMEM('TCPIP.SEZALOAD'/volser/NOPADCHK) RALTER PROGRAM * ADDMEM('TCPIP.SEZATCP'/volser/NOPADCHK) RALTER PROGRAM * ADDMEM('db2.DSNLOAD'/volser/NOPADCHK) RALTER PROGRAM * ADDMEM('db2.DSNEXIT'/volser/NOPADCHK) RALTER PROGRAM * ADDMEM('ftp.userexits'/volser/NOPADCHK)` Note: If you define the load libraries as controlled, do not specify a universal access of NONE for the PROGRAM resources. If you do so for your SYS1.LINKLIB programs, you cannot IPL your z/OS system. Be aware also that in z/OS, the volser specification is optional.
Activate RACF changes.	Use the following command: `SETROPTS WHEN(PROGRAM) REFRESH`