On Tue, Apr 27, 2021 at 6:53 AM Itschak Mugzach < [email protected]> wrote:
> Thanks John, > > My concern is access to other syscall functions. it may be true to unix, > but I think some of them allow more information then I would allow to > standard user. > I think I get that (OK, not really -- I let people see just about anything that's not dangerous & then swat them if they try to misuse it). In any case, I think if they can do any specific SYSCALL then they can use any of them. None of them seem to be particularly powerful to me. But I could easily be overlooking something. It just occurred to me that the REXX SYSCALLs might be able to be restricted if you restrict the actual underlying UNIX syscall. I.e. the information returned from the procinfo() will be restricted to what the user could normally see if they did a UNIX "ps" command. A normal user cannot see everything that a superuser can. > > ITschak > > *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere > Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux > and IBM I **| * > > *|* *Email**: [email protected] **|* *Mob**: +972 522 986404 **|* > *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* > > > > > > On Tue, Apr 27, 2021 at 2:50 PM John McKown <[email protected]> > wrote: > > > I doubt it. At least using supplied IBM facilities. Why? If you read > here: > > https://www.ibm.com/docs/en/zos/2.1.0?topic=functions-sleep > > It does not have any information about security requirements. Therefore, > I > > assume (ouch), that there is not one for this function, or any of the > other > > UNIX functions in that section. And thus it is "one for all and all for > > one", so to speak. The same with UNIX commands. They all have the same > > security requirements, so if you have one, you have them all. At least > in a > > normal set up. > > > > Now, long before UNIX was in z/OS, I wrote a batch program (designed to > be > > invoked via EXEC PGM=) called SLEEP. It's only 180 assembler lines long > (34 > > of which are comments). It does use one in-house macro, but that is > simply > > "STARTUP" which does normal register saves and so could be easily > replaced > > with just plain instructions. If you want it, I can email it to you. > > > > On Tue, Apr 27, 2021 at 6:33 AM ITschak Mugzach <[email protected]> > > wrote: > > > > > a user asks to have access to the uss sleep syscall. We would like to > > limit > > > the user only to this function. is this possible? > > > > > > ITschak > > > > > > ITschak Mugzach > > > *|** IronSphere Platform* *|* *Information Security Continuous > Monitoring > > > for z/OS, x/Linux & IBM I **| z/VM coming soon * > > > > > > ---------------------------------------------------------------------- > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to [email protected] with the message: INFO IBM-MAIN > > > > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
