Re: Is having an OMVS segment on a userid with RACF SPECIAL an issue?

Mon, 14 May 2012 23:35:31 -0700 

IMHO the are two secure choices:

1. NOOMVS for SPECIAL
2. UID(0) for SPECIAL. Yes, 0. The trick is UID(0) is shared, so there is one to many relationship. So, hijacking UID(0) does NOT mean hijacking SPECIAL user. There is a parameter in BPXPRMxx called SUPERUSER(username). This is the user which would be hijacked for UID(0)! Obviously you should care not to give this user any extraordinary attributes. BTW: default username is BPXROOT.
Last, but not least: take care to prevent hijacking. IMHO it's feasible to configure system in that manner. 


My €0.02
--
Radoslaw Skorupka
Lodz, Poland





W dniu 2012-05-14 21:22, Bruce Wheatley pisze:

I seem to recall that in the past adding an OMVS segment to a userid with RACF SPECIAL was 
considered a "no-no." Something to do with the posiibility of the userid being 
"hijacked" thereby allowing access to its SPECIAL attribute.

Is this still a concern (was it ever?) and if so are there ways to prevent such 
"hijacking"?

TIA

(Posted on both RACF&  IBM-Main lists)



----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN




--
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.
This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. 
BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 22 829 00 00, fax +48 
22 829 00 33, www.brebank.pl, e-mail: [email protected]
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 0000025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2012 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.410.984 zotych. 

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN

Reply via email to