> -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of Klavon John R > Sent: Monday, November 13, 2006 8:56 AM > To: IBM-MAIN@BAMA.UA.EDU > Subject: Unix Security > > > Does anyone have a good suggestion for setting up (Superuser > id or UID(0) for individuals that require the access. They > would like to set up as few users as possible to satisfy the > auditors.. >
Don't. Do. That. There is no need for a "live person" to have UID(0) as their normal UID. There are a whole set of RACF facilities to allow a person many of the functions normally granted by UID(0). Start reading at: http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/BPXZB270/4.6 If nothing else, grant RACF read authority to BPX.SUPERUSER in the FACILITY class to the people who need it. This will allow them to "su" for root (UID 0) access as needed. There are a lot of profiles starting with BPX. in the FACILITY class to allow people to do superuser-like functions. There are many more profiles in the UNIXPRIV class to also let non-root people do things. If a "live person" must run a batch job which demands root, then set up a SURROGAT profile to allow them to submit a job with the USER= specifying the id in the SUPERUSER() parameter of BPXPRMxx in PARMLIB. We __never__ allow an "interactive" user to have UID(0) in their OMVS segment. Only a very few PROTECTED RACF userids have UID(0). In fact, there are only two in my shop. There is the SUPERUSER in the BPXPRMxx member and there is a separate one for the HTTPD server. The only reason I have two is so that the RACF accesses to non-UNIX datasets is more controlled for the HTTPD server id. These ids are only used for specific started tasks such as TCPIP and other UNIX daemons. -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology This message (including any attachments) contains confidential information intended for a specific individual and purpose, and its content is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this transmission, or taking any action based on it, is strictly prohibited. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html