We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAdriel Polit
Modified about 1 year ago
© 2006 IBM Corporation Introduction to z/OS Security Lesson 6: z/OS UNIX Security
© 2006 IBM Corporation It’s NOT USS USS is a service mark of –Ultrastrip Systems, Inc. CORPORATION USS is a Trademark of –LA VISION GMBH CORPORATION USS Is a trademark of –United States Steel Corporation
© 2006 IBM Corporation Objectives At the completion of this topic the student should understand: –The interaction between the USS Kernel and RACF –How RACF provides security services for USS –Different types of Security Packets File Security Packet User Security Packet –Security related services used by the operating system
© 2006 IBM Corporation Key terms InitACEE File Security Packet User Security Packet OMVS Segment UID GID pthread_security_np()
© 2006 IBM Corporation Introduction All access control decisions for z/OS UNIX are made by RACF, unlike other UNIX systems. In z/OS UNIX, RACF knows users by a numeric ID, called a UID. Additionally, groups the users belong to are known by group IDs (GIDs). –For example, if everyone within a department needs to use a certain set of common files, directories, or devices, that department would be a group and have a GID. A user's UID and GID are stored in RACF's security data base.
© 2006 IBM Corporation What is z/OS Unix? The z/OS operating system contains a UNIX-like component named z/OS UNIX. The addition of z/OS UNIX has allowed the z/OS operating system to add open standard technologies to its already impressive online and batch processing capabilities. z/OS UNIX workload may execute as either online or batch, depending on the nature of the workload. The z/OS web server, for example, runs under z/OS UNIX and is an online workload, since the HTTP requests are interactive in nature and the user is waiting for the results to be displayed within their browser.
© 2006 IBM Corporation What is z/OS Unix? A partial list of technologies that have been implemented on z/OS using z/OS UNIX system services includes: – TCP/IP and related services (telnet, ftp, smtp, etc.) – z/OS web server – z/OS LDAP server – z/OS Java Development Kit (JDK) – z/OS Java Run-time Environment (JRE) This list of services are growing with each z/OS release
© 2006 IBM Corporation Interaction between z/OS Unix and RACF chown login ck_access R_chaudit R_chmod R_chown R_fork R_exec makeFSP ck_file_owner SAF RACF mkdir chmod logout cd initACEE initUSP R_setegid R_seteuid Back-end processesUser commandsCallable Services FACILITY BPX.SERVER BPX.DAEMON BPX.SUPERUSER BPX.SMF UNIXPRIV CHOWN.UNRESTRICTED SHARE.IDS SUPERUSER.FILESYS.MOUNT Check Privileges
© 2006 IBM Corporation InitACEE The initACEE service provides an interface for creating and managing RACF security contexts through the z/OS UNIX System Services pthread_security_np service, __login service, or by other MVS server address spaces that do not use z/OS UNIX services. This service also provides an interface for registering and deregistering certificates through the z/OS UNIX System Services __security service. It also provides an interface for querying a certificate to determine if it is associated with a user ID.
© 2006 IBM Corporation initACEE Call IRRSIA00(SAF_WORK_AREA, ZERO_ALET, L_SAF_RETURN_CODE, ZERO_ALET, L_RACF_RETURN_CODE, ZERO_ALET, L_REASON_CODE, INTA_CREATE, acee_attributes, initacee_racfuserid, acee_ptr, null_char9, initacee_password, null_char_splat, null_char14, null_ptr, null_char_splat, acee_seclabel, acee_servauth); SAF_RETURN_CODE = L_SAF_RETURN_CODE; RACF_RETURN_CODE = L_RACF_RETURN_CODE; RACF_REASON_CODE = L_REASON_CODE;
© 2006 IBM Corporation z/OS Unix Filesystems z/OS UNIX provides several different types of filesystems available for use on a z/OS system. Each filesystem serves a different purpose and a particular z/OS UNIX system may utilize any or all of the supported filesystem types at a given time. Here is a brief overview of the UNIX filesystem types supported on z/OS UNIX: –HFS The Hierarchical File System (HFS) is a file system that is created within a z/OS dataset residing on a direct access storage device (DASD). The HFS is mounted at a given location within the z/OS UNIX directory hierarchy –zFS The File System (zFS) is similar to a HFS, with a couple of notable exceptions. First, the zFS must be used if you want to implement multilevel-security (MLS). The security label (SECLABEL) used to establish security levels is only supported on zFS filesystems. Secondly, zFS may optionally contain more than one logical filesystem, where a HFS is limited to a single filesystem. –TFS The Temporary File System (TFS) is a in-memory-only filesystem that looks and acts like a HFS filesystem. The major advantage of a TFS is that it is a very high-performance filesystem since data does not have to be read and written to and from disk devices. TFS filesystems are typically used for temporary files normally contained within the /tmp directory. –NFS The Network File System (NFS) is a filesystem that allows a local system to access a remote filesystem via the network. The remote system may be another z/OS UNIX system or it may be a UNIX operating system available from any number of vendors. Regardless of the filesystem type, all filesystems provide essentially two main features: – A method of accessing, organizing, and storing files and directories – Maintain UNIX file and directory permissions for each file and directory in the filesystem
© 2006 IBM Corporation File Security Packet Security-relevant data for files in the z/OS UNIX file system is kept in a file security packet (IFSP) structure owned by RACF. The IFSP is stored in the file system as part of the attributes associated with a file. When a file is created, the IFSP is created by the makeFSP or the make_root_FSP callable service. The makeFSP service returns an IFSP to the file system, which writes it with other attributes of the file. On subsequent accesses to the file, the file system reads the IFSP and passes it to other callable services. The file system deletes the IFSP when the file is deleted.
© 2006 IBM Corporation File Security Packet The IFSP contains the following data: – Control block ID – Version number – z/OS UNIX user identifier (UID) of the owner of the file – z/OS UNIX group identifier (GID) of the group owner of the file – Mode bits: – Owner permission bits – Group permission bits – Other permission bits – S_ISUID, S_ISGID, and S_ISVTX bits – User audit options for the file – Auditor audit options for the file – Security label (SECLABEL) of the file
© 2006 IBM Corporation Authorization Checks When a user wants to access a file, RACF matches the requester's UID and GID against security information associated with each file: –The file's owner, represented by the owner's UID A UID may be any numerical value between 0 and 2147483674 (roughly 2 31) –Group owner, represented by the owning group's GID A GID may be any numerical value between 0 and 2147483674
© 2006 IBM Corporation Authorization Checks Permission bits, which describe the read, write, and execute ability for owner, group, and "others" (all users). –The permission bit is known by a three-digit number. For example, permission bit 755 is a common one - it looks like this, where r stands for read, w stands for write, and x stands for execute. 1 1 1 1 0 1 1 0 1 r w x r w x r w x To see this in UNIX, issue the ls –l command : NP3:/ssat/home/craigj/remsvc/> ls -l total 1360 -rwxr-xr-x 1 PDS SYS1 276 May 15 11:11 RunAudit -rwxr-xr-x 1 PDS SYS1 406 May 15 10:34 RunAuth -rw-r--r-- 1 PDS SYS1 2465 May 10 16:23 sampleAudit3.XML -rwxr-xr-x 1 PDS SYS1 578 May 10 16:06 sampleAuth.xml -rw-r----- 1 PDS SYS1 166701 Apr 24 11:02 xop42.jar NP3:/ssat/home/craigj/remsvc/ –The first digit is the owner’s permission, the second is the owner’s group, and the third is for everyone else. By matching the user's UID and GID against this security information, RACF determines who should be allowed to read, write, and execute the file. In this case the permission bit 755 means that the owner can read the file, write to the file, and execute the file; members of the owning group can read and execute the file, as can all users. The owner can write to the file; no one else can.
© 2006 IBM Corporation OMVS Segment The OMVS Segment of the user’s RACF profile contains information required by the USS Kernel and RACF to make decisions on security and other environmental situations. Currently the OMVS Segment contains: –UID –HOME Path; maximum length=1023 –Initial Program; maximum length=1023 –CPUTIMEMAX –ASSIZEMAX –FILEPROCMAX –PROCUSERMAX –THREADSMAX –MMAPAREAMAX –MEMLIMIT; maximum length = 9 –SHMEMMAX; maximum length = 9 LU CRAIGJ OMVS NORACF USER=CRAIGJ OMVS INFORMATION ---------------- UID= 0000000000 HOME= /ssat/home/craigj PROGRAM= /bin/bash CPUTIMEMAX= NONE ASSIZEMAX= NONE FILEPROCMAX= NONE PROCUSERMAX= NONE THREADSMAX= NONE MMAPAREAMAX= NONE
© 2006 IBM Corporation User Security Context and z/OS Unix Each user in the system is represented by a security context – a structure in the address space which contains information related to the identity of the user who owns that process. Attached to that security context, when warranted, is a USP – User Security Packet Information from the user’s OMVS segment is placed in the User Security Packet
© 2006 IBM Corporation User Security Packet
© 2006 IBM Corporation UID A numerical representation of a user entity –Care should be taken in assigning 0 as the user identifier. UID 0 is considered a superuser. The superuser passes all z/OS UNIX security checks. –Assigning a UID to a user ID that appears in the RACF started procedures table (ICHRIN03) should also be done with care. –RACF defined started tasks that have the trusted or privileged attribute are considered superusers even if their UID is a value other than 0. Values range from 0 - 2,147,483,647 (2Gig) “unique” to each user ID –May have multiple UID 0 “root” users –The security administrator controls shared UIDs by defining the SHARED.IDS profile in the UNIXPRIV class.
© 2006 IBM Corporation GID The GID is a numeric value from 0 – 2,147,483,647. When a GID is assigned to a group, all users connected to that group who have a user identifier (UID) in their user profile can use functions such as the TSO/E command, OMVS, and can access z/OS UNIX files based on the GID and UID values assigned. If the security administrator has defined the SHARED.IDS profile in the UNIXPRIV class, the GID must be unique. The same value can be assigned to multiple groups, but this is not recommended because individual group control would be lost. However, if you want a set of groups to have exactly the same access to z/OS UNIX resources, you might decide to assign the same GID to more than one group. RACF allows you to define and connect a user to more than 300 groups, but when a process is created or z/OS UNIX group information is requested, only up to the first 300 z/OS UNIX groups are associated with the process or user. The first 300 z/OS UNIX groups that have GIDs to which a user is connected are used by z/OS UNIX. LISTUSER displays the groups in the order that RACF examines them when determining which of the user's groups are z/OS UNIX groups.
© 2006 IBM Corporation z/OS Unix Security Related Callable Services The following lists of services are used by the operating system to affect security for z/OS Unix. These services are called by the z/OS Unix kernel – the OMVS process – as a result of a user or system action. For example: if a user attempts to open a file, the kernel calls ck_access or IRRSKA00. –It’s worth noting here that although these are SAF calls, an installed external security manager must be present to handle the operation. The OMVS process will not initialize if an ESM is not installed. SAF is the target of the IRRSKA00 call. The SAF Router will pass control to the ESM. If the ESM is RACF, that control would got to the IRRRKA00 routine. It is IRRRKA00 which performs the heavy lifting of checking the user’s authority to open the file.
© 2006 IBM Corporation z/OS Unix Related Callable Services ck_access (IRRSKA00): Check access ck_file_owner (IRRSKF00): Check file owner ck_IPC_access (IRRSKI00): Check IPC access ck_owner_two_files (IRRSC200): Check owner of two files ck_priv (IRRSKP00): Check privilege ck_process_owner (IRRSKO00): Check process owner clear_setid (IRRSCS00): Clear set ID deleteUSP (IRRSDU00): Delete USP getGMAP (IRRSGM00): Get GID-to-Group-Name mapping get_uid_gid_supgrps (IRRSGE00): Get UIDs, GIDs, and supplemental groups getUMAP (IRRSUM00): Get UID-to-User-ID mapping initACEE (IRRSIA00): Initialize ACEE initUSP (IRRSIU00): Initialize USP makeFSP (IRRSMF00): Make IFSP makeISP (IRRSMI00): Make IISP make_root_FSP (IRRSMR00): Make root IFSP query_file_security_options (IRRSQF00): Query file security options query_system_security_options (IRRSQS00): Query system security options R_admin (IRRSEQ00): RACF administration API R_audit (IRRSAU00): Provide an audit interface R_auditx (IRRSAX00 or IRRSAX64): Audit a security-related event R_cacheserv (IRRSCH00): Cache services R_chaudit (IRRSCA00): Change audit options R_chmod (IRRSCF00): Change file mode R_chown (IRRSCO00): Change owner and group R_datalib (IRRSDL00 or IRRSDL64): OCSF data library Dotted decimal numbers indicate chapter.section of z/OS Security Server RACF Callable Services Document Number SA22-7691- 09
© 2006 IBM Corporation z/OS Unix Related Callable Services R_dceauth (IRRSDA00): Check a user's authority R_dceinfo (IRRSDI00): Retrieve or set user fields R_dcekey (IRRSDK00): Retrieve or set a non-RACF password R_dceruid (IRRSUD00): Determine the ID of a client R_exec (IRRSEX00): Set effective and saved UIDs/GIDs R_fork (IRRSFK00): Fork a process R_GenSec (IRRSGS00 or IRRSGS64): Generic security API interface R_getgroups (IRRSGG00): Get/Set supplemental groups R_getgroupsbyname (IRRSUG00): Get groups by name R_GetInfo (IRRSGI00): Get security server fields R_IPC_ctl (IRRSCI00): Perform IPC control R_kerbinfo (IRRSMK00): Retrieve or set security server network authentication service fields R_PKIServ (IRRSPX00): Request public key infrastructure (PKI) services R_proxyserv (IRRSPY00): LDAP interface R_ptrace (IRRSPT00): Ptrace authority check R_setegid (IRRSEG00): Set effective GID, set all GIDs R_seteuid (IRRSEU00): Set effective UID, set all UIDs R_setfacl (IRRSCL00):Unix access control lists R_setfsecl (IRRSSB00): Security label R_setgid (IRRSSG00): Set group name R_setuid (IRRSSU00): Set z/OS UNIX user identifier (UID) R_ticketserv (IRRSPK00): Parse or extract R_umask (IRRSMM00): Set file mode creation mask R_usermap (IRRSIM00): Map application user R_writepriv (IRRSWP00): Write-down privilege
© 2006 IBM Corporation Summary z/OS Unix System Services manages security through SAF and an external security manager. Internally, security contexts are identical to those used by legacy processes z/OS is a Unix branded operating system so the external security concepts are Unix based UIDs can be shared on z/OS
© 2006 IBM Corporation Introduction to z/OS Security Lesson 4: There’s more to it than RACF.
UNIX File System By Vishal Desai. Introduction Basic purpose of file system: Represent and organize the system resources. But UNIX File System also maps.
The Unix File system (UFS) Presented by: Gurpreet Singh Assistant Professor Department of School of Computing and Engineering Galgotias University.
Chapter Two Exploring the UNIX File System and File Security.
Linux+ Guide to Linux Certification, Third Edition Chapter 4 Linux Filesystem Management.
Week 4 Linux File System Management. Objectives Find files and directories on the filesystem Understand and create linked files Explain the function.
Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.
Linux+ Guide to Linux Certification, Second Edition Chapter 5 Linux Filesystem Management.
File Permission and Access. Module 6 File Permission and Access ♦ Introduction Linux is a multi-user system where users can assign different access permission.
Exploring the UNIX File System and File Security Understanding Files and Directories.
2Operating Systems Program that runs on a computer Manages hardware resources Allows for execution of programs Acts as an intermediary between.
UNIX Unit 1- Architecture of Unix - By Pratima. 2 Unix Architecture Typical computer system consists of: Hardware Operating system Applications and utilities.
Chapter 2: Exploring the UNIX/Linux File Systems and File Security Guide To UNIX Using Linux Third Edition.
Lecture 4 Mechanisms & Kernel for NOSs. Mechanisms for Network Operating Systems Network operating systems provide three basic mechanisms that support.
1 Process Description and Control Chapter 3. 2 Process A program in execution An instance of a program running on a computer The entity that can be assigned.
Chapter 9: Networking with Unix and Linux. Objectives: Describe the origins and history of the UNIX operating system Identify similarities and differences.
Filesystem Hierarchy Standard (FHS) –Standard of outlining the location of set files and directories on a Linux system –Gives Linux software developers.
UNIX System Protection. Unix History Developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs Adapted some ideas from the Multics project in 1969.
Operating System Structures. Common System Components Due to the complex nature of the modern operating systems, it is partitioned into smaller component.
CE Operating Systems Lecture 11 Windows – Object manager and process management.
Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.
CSC 322 Operating Systems Concepts Lecture - 4: by Ahmed Mumtaz Mustehsan Special Thanks To: Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,
Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.
Lesson 9-Setting and Using Permissions. Overview Describing file permissions. Using execute permissions with a file. Changing file permissions using mnemonics.
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
Privileges: who can control what Introduction to Unix May 24, 2008 Rabat, Morocco Hervey Allen.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 10: File-System Interface.
Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.
1 Chapter 11: File-System Interface File Concept Access Methods Directory Structure File System Mounting File Sharing Protection Chapter.
Chapter 4 Access Control ITU-T Recommendation X.800 defines access control as follows: “The prevention of unauthorized use of a resource, including the.
Introduction to Kernel Topics –Kernel Architecture –File System –Process Reference: The Design of the UNIX Operating System by Maurice J. Bach.
Privileges: who can control what Introduction to Unix June 16, 2009 Papeete, French Polynesia Hervey Allen.
Introduction of z/OS Basics © 2006 IBM Corporation Chapter 5: Working with data sets.
MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 11 Case Study 2: Windows Vista Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,
More on File Management Chapter 12. File Management provide file abstraction for data storage guarantee, to the extend possible, that data in the file.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Unix system calls (part 1) history and.
Chapter 10: File-System Interface Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Jan 1, 2005 File-System Interface.
17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.
Objectives To describe the services an operating system provides to users, processes, and other systems To discuss the various ways of structuring an.
Chapter Two Exploring the UNIX/Linux File Systems and File Security Guide To UNIX Using Linux Fourth Edition Chapter 2 Unix (31 slides)1 CTEC 110.
1.3 System Call. System Call System calls provide the interface between a running program and the operating system. System call is a method by which a.
Chapter One The Essence of UNIX. 2 Objectives Define operating systems in general and the UNIX operating system in particular Describe Linux as it relates.
File System and Directory Structure in Linux. What is File System In a computer, a file system is the way in which files are named and where they are.
© 2017 SlidePlayer.com Inc. All rights reserved.