Manualshelf

Specifications

ManualsBrandsAdaptec ManualsAdapterAMM-1510M
11121314151617181920
4 IBM System z Personal Development Tool: Volume 3 Additional Topics
SecureUpdateUtility command as root. The parameters for zpdtSecureUpdate are the
same as for SecureUpdateUtility.
4. Select a userid (not root) who will be allowed to use the clientconfig command and issue
the following command as root:
# clientconfig_authority -a <userid>
A userid may be removed from the authorized list by using a -d flag instead of -a.
5. Thereafter the indicated userid can use the clientconfig command.
As a practical matter, the same userid may be selected for both functions. The ability to
bypass root usage with these commands does not alter the operation of the
SecureUpdateUtility or clientconfig commands if used by root in the normal way.
1.4.2 Linux suid usage
The zPDT system software operates as a normal Linux application with one exception. The
eDMosa module (that provides the emulated OSA function) operates with Linux root
privileges. That is, it uses “suid” permission to operate as root, and the permissions are
“world” executable. While we have no indication that this has happened, it might be possible
for a non-zPDT Linux user to execute eDMosa and, in some way, use this to compromise the
base Linux system. The suid module is also visible to programs that scan Linux for
“unapproved” suid files.
You can remove the “world” executable permission, as follows:
1. Select (or create) a Linux group for use only by zPDT functions. The installation
instructions in the second volume of this series (SG24-7722) suggest creating a group
named zpdt, although the specific name is not important. You can use the GUI
administrative functions of your Linux to add the group (and associate selected userids
with the group).
2. Change the ownership of eDMosa to this group. For example,
# chgrp zpdt /usr/z1090/bin/eDMosa
3. Change the permissions for eDMosa,
# chmod 4750 /usr/z1090/bin/eDMosa
4. Remember that any Linux userid that is to be used to start zPDT must be a member of the
new group. Other userids should not be members of this group.
1.4.3 1090 log files
In earlier zPDT releases some zPDT log files and directory (in a subdirectory of the home
directory of the Linux user who started zPDT) were world accessible. This has been changed
in the current releases.
1.4.4 Token server monitoring
The token software used with zPDT has a web monitoring function. This is not relevant to
normal zPDT operation, but might be construed as an exposure. You can disable this monitor
function as follows:
# cd /opt/safenet_sentinel/common_files/sentinel_keys_server
# cp -p sntlconfigsrvr.xml sntlconfigsrvr.xml.orig (make backup)
# (edit sntlconfigsrve.xml, find <ConfigureLicenseMonitorPort>