-----Original Message-----
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Alan Altmark
Sent: Friday, February 26, 2010 12:33 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Crazed idea: SDSF for z/Linux
On Thu, 25 Feb 2010 11:59:41 -0500, Thompson, Steve
<steve_thomp...@stercomm.com> wrote:
>Yes this raises security issues. But you have physical access in this
>case. If these things are only given to the root or a special user w/in
>the *nix environment, you have addressed much of the security issues.
>
>If you are running under VM, and VM is giving you access to the
physical
>addresses, then the security is controlled by VM.
Not. The problem is that the z/OS audit trail will not contain any
record
that user STEVE accessed the spool and z/OS access rules will not be
applied
to the datasets on the volume.
<SNIP>
I think we are talking about two different issues.
In a D/R situation, where you have killed your running system, and
somehow your 1 pack emergency system won't IPL (since it takes at least
2 volumes for SYSRES now), you can fix things if you have a standalone
system. [OR, you are at the D/R site and need to make some change to get
the system to IPL...]
I have used such a system that is booted from the HMC's CD unit. And the
editor that I used was a royal pain, because it had to write back to the
block it read from.
If you have more of a system to do that kind of work with, then
recovering a wrecked JES2PARM or PARMLIB element/member becomes much
easier.
And in this case of the standalone editor, there were no directory entry
updates made, no SMF data, etc. etc.
-- Aside: do I need to get into spool at this point? I dunno, I guess it
would depend on if there was something there that would tell me what I
need to know to fix this system so it can IPL --
Now, if you were to do this with a running system ("z/Linux" for
instance), I'd think that the auditors and security people should be
able to use piano wire or whatever.
But again if running under VM, VM has the ability to prevent your access
to the target volumes by reason of IEF, does it not?
This is what gives the last line of defense, such that it is.
Regards,
Steve Thompson
-- Opinions expressed by this poster may not reflect poster's employer's
opinions --
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
