Migration to z/OS 2.1 in RACF imposes a limit to the number of Logonids that can have a UID of '0'. Is this true with ACF2?

Document ID : KB000017875
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

ACF2 does not have a limit to the number of Logonids that can have a UID of 0.

Solution:

ACF2 does not enforce a limit to the number of logonids that can have a UID of '0'; however, as a general recommendation for auditability, sites should limit the number of logonids that have UID '0'.

To do so, sites can implement controls by securing BPX.SUPERUSER and utilizing Superuser Granularity rules.

The ability to switch to superuser status is controlled through the FACILITY class resource BPX.SUPERUSER. To control which users have the ability to use the su command, add rule entries to the BPX

FACILITY resources rule, similar to this one, as appropriate:


 $KEY(BPX) TYPE(FAC)       
 SUPERUSER UID(user_uid) ALLOW 

Specific superuser functions can be secured via superuser granularity using resource rules in the UNIXPRIV class:

Controlling Superuser Functions
OMVS requires that users performing certain functions have a UID(0) or superuser status. Once a user is given superuser status, they have complete access to the system. The UNIXPRIV class allows specific control of the individual functions performed by a user with superuser authority. This is referred to as superuser granularity.

Using the UNIXPRIV class means that a user does not need superuser authority to perform an individual function from the above table.

When a user attempts to perform the function without a UID(0) or superuser authority, CA ACF2 issues a resource check to see if that user is allowed to perform the function. If the resource rule allows access to the resource associated with the function, the user is allowed to perform the function even though they do not have UID(0).

The following example shows a rule that allows USERA to read all HFS files, change the ownership of any file, and see all processes using the ps command:


 SET RESOURCE(UNI)       
 LIST SUPERUSER 
 ACF75052 RESOURCE RULE SUPERUSER STORED BY USER01 ON 05/04/99 - 12:26
 $KEY(SUPERUSER) TYPE(UNI)
 FILESYS UID(usera) SERVICE(READ) ALLOW
 FILESYS.CHOWN UID(usera) ALLOW
 PROCESS.GETPSENT UID(usera) ALLOW
 ACF75051 TOTAL RECORD LENGTH = 268 BYTES, 6 PERCENT UTILIZED 

A detailed list of UNIXPRIV resources can be found in the CA ACF2 for z/OS Administration Guide in Chapter 23: Starting CA ACF2 in a z/OS UNIX System Services Environment section 'Controlling Superuser Functions'.