[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: [EXTERNAL] Re: SPECIAL attribute and OMVS segment
From:       BUCKLEY Pete <pete.buckley () AXA ! COM>
Date:       2023-03-31 7:05:35
Message-ID: PAXPR04MB86865CF38E7A173B37792E68888F9 () PAXPR04MB8686 ! eurprd04 ! prod ! outlook ! com
[Download RAW message or body]

I think it's the opposite. From Juan's post: 
" I seem to remember that the logic behind this old security advice was that this way \
a Unix superuser would not be able to eventually switch to my SPECIAL userid (and \
thus gain SPECIAL authority)..."

So the rationale is that a different userid with [some values of] SUPERUSER would be \
able to seteuid to the uid of the SPECIAL userid, and use that to issue RACF commands \
etc.

Of course there are other ways to weaponise SUPERUSER to similar effect.
And you could argue against SPECIAL having FTP access, as one possible avenue of \
exfiltration.

Pete Buckley
AXA 


Internal

-----Original Message-----
From: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU> On Behalf Of Walt Farrell
Sent: 30 March 2023 16:36
To: RACF-L@LISTSERV.UGA.EDU
Subject: [EXTERNAL] Re: SPECIAL attribute and OMVS segment

On 3/30/2023 8:43 AM, Marc Van der Meer1 wrote:
> As a security admin you should not have a need for UID(0). That should be reserved \
> to system programmers, if at all necessary. unixpriv profiles normally do the job. \
> I have never heard of the NOUID recommendation for system specials, and really do \
> not see why that would be recommended. A non zero UID would be just fine.

There is a school of thought that you need to ensure that your users with SPECIAL \
don't run any untrusted programs. Thus, for example, you need to make sure that there \
are no uncontrolled (or poorly controlled) CLIST libraries in their TSO SYSPROC \
concatenation. The same would apply to libraries containing REXX execs.

I _think_ the recommendation for NOUID derived from similar concerns. If you allow \
them to use UNIX services, there are then another set of executables that you need to \
ensure are properly controlled, because if the SPECIAL user runs anything from an \
uncontrolled source then they might end up issuing RACF commands to compromise your \
system security without realizing it.

It's related, I think, to the idea that the SPECIAL user ID should not be used for \
anything _except_ RACF administration, and if the user needs to do non-administrative \
functions they should use a separate, non-SPECIAL, user ID for those functions.

--
Walt

This email originates from AXA Group Operations UK Ltd (reg. no. 1854856), a company \
registered in England and Wales, which has its registered office at 5 Old Broad \
Street, London EC2N 1AD, England.   
This message and any files transmitted with it are confidential and intended solely \
for the individual or entity to whom they are addressed. If you have received this in \
error, you should not disseminate or copy this email. Please notify the sender \
immediately and delete this email from your system.   
Please also note that any opinions presented in this email are solely those of the \
author and do not necessarily represent those of the AXA Group.   
Email transmission cannot be guaranteed to be secure, or error free as information \
could be intercepted, corrupted, lost, destroyed, late in arriving or incomplete as a \
result of the transmission process. The sender therefore does not accept liability \
for any errors or omissions in the contents of this message which arise as a result \
of email transmission.   
Finally, the recipient should check this email and any attachments for viruses. The \
AXA Group accepts no liability for any damage caused by any virus transmitted by this \
email.


[prev in list] [next in list] [prev in thread] [next in thread]