z/OS

UNIX System ServicesPlanningVersion 2 Release 3

GA32-0884-30

IBM

NoteBefore using this information and the product it supports, read the information in Notices on page 457.

This edition applies to Version 2 Release 3 of z/OS (5650-ZOS) and to all subsequent releases and modificationsuntil otherwise indicated in new editions.

Last updated: March 16, 2018

Copyright IBM Corporation 1996, 2018.US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Figures . . . . . . . . . . . . . . . xi

Tables . . . . . . . . . . . . . . . xiii

About this document . . . . . . . . xvUsing this document . . . . . . . . . . . xvz/OS information . . . . . . . . . . . . xv

IBM Systems Center publications . . . . . . xviz/OS UNIX courses . . . . . . . . . . xviDiscussion list . . . . . . . . . . . . xvi

How to send your comments to IBM xviiIf you have a technical problem . . . . . . . xvii

Summary of changes . . . . . . . . xixSummary of changes for z/OS UNIX for Version 2Release 3 (V2R3) . . . . . . . . . . . . xixSummary of changes for z/OS UNIX for Version 2Release 2 (V2R2) as updated March, 2016 . . . . xxSummary of changes for z/OS UNIX for Version 2Release 2 (V2R2) . . . . . . . . . . . . xxiz/OS Version 2 Release 1 summary of changes . . xxii

Chapter 1. Introduction to z/OS UNIX . . 1The API interface . . . . . . . . . . . . . 1The interactive shell interface . . . . . . . . . 2Interacting with elements and features of z/OS. . . 2

Workload Manager (WLM) . . . . . . . . 3WebSphere Application Server Dispatcher . . . 4System Management Facilities (SMF) . . . . . 4XL C/C++ compiler . . . . . . . . . . . 5Language Environment . . . . . . . . . . 5DFSMS . . . . . . . . . . . . . . . 5Security Server (RACF) . . . . . . . . . . 5Resource Measurement Facility (RMF) . . . . . 5System Display and Search Facility (SDSF) . . . 5Time Sharing Options Extensions (TSO/E) . . . 6Communications Server . . . . . . . . . 6Interactive System Productivity Facility (ISPF) . . 6Network File System (NFS) . . . . . . . . 6z/OS File System (zFS) . . . . . . . . . . 6

Hardware considerations for z/OS UNIX . . . . . 6Requirements for accessing kernel services usingTSO/E . . . . . . . . . . . . . . . . 7Tasks that z/OS UNIX application programmers do 9Administrative tasks using the ISPF shell . . . . 10

Chapter 2. Installing z/OS UNIX . . . . 11Methods of installing z/OS UNIX . . . . . . . 11

Installing z/OS UNIX for ServerPac customers . 11Installing z/OS UNIX for CBPDO customers . . 11

Establishing an /etc file system for a new release. . 12

Chapter 3. Customizing z/OS UNIX. . . 15Setting up kernel services in minimum mode . . . 15Setting up kernel services in full function mode . . 15

Setting up for full function mode . . . . . . 15Checking the mode of the kernel in a runningsystem . . . . . . . . . . . . . . . . 16Evaluating virtual memory needs . . . . . . . 17

Using extended common service area (ECSA) . . 17Extended system queue area (ESQA) . . . . . 17Predicting and limiting ESQA usage . . . . . 18Reducing the amount of ESQA used by fork()processing . . . . . . . . . . . . . . 20Reducing the amount of ESQA needed tosupport servers . . . . . . . . . . . . 21

Prioritizing UNIX work on your system . . . . . 21Define service classes . . . . . . . . . . 21Define classification rules . . . . . . . . . 21

Defining the BPXPRMxx members in IEASYSxx . . 22Customizing the BPXPRMxx member ofSYS1.PARMLIB . . . . . . . . . . . . . 23

Checking the BPXPRMxx syntax . . . . . . 23Defining file systems . . . . . . . . . . 26Defining system limits . . . . . . . . . . 29Defining system features . . . . . . . . . 36

Customizing other members of SYS1.PARMLIB . . 43ALLOCxx . . . . . . . . . . . . . . 43COFVLFxx . . . . . . . . . . . . . 43CTnBPXxx. . . . . . . . . . . . . . 43IEADMR00 . . . . . . . . . . . . . 45IKJTSOxx . . . . . . . . . . . . . . 45SMFPRMxx . . . . . . . . . . . . . 45

Customizing /etc . . . . . . . . . . . . 46Initializing the kernel using a cataloged procedure 46Running a physical file system in a colony addressspace . . . . . . . . . . . . . . . . 47

Starting colony address spaces . . . . . . . 47Starting colony address spaces outside of JES . . 47

Running a temporary file system in a colonyaddress space. . . . . . . . . . . . . . 49

Steps for creating a cataloged procedure for atemporary file system . . . . . . . . . . 49

Enabling certain TSO/E commands to z/OS UNIXusers . . . . . . . . . . . . . . . . 50Globalization on z/OS systems . . . . . . . . 52

Chapter 4. Establishing UNIX security 55List of subtasks . . . . . . . . . . . . . 55Preparing RACF . . . . . . . . . . . . . 56

Steps for preparing RACF . . . . . . . . 56Using RACF with z/OS UNIX . . . . . . . . 60

RACF performance considerations . . . . . . 60Setting up users and groups . . . . . . . . 60Activating supplemental groups . . . . . . 61

Defining z/OS UNIX users to RACF . . . . . . 61Steps for defining z/OS UNIX users to RACF . . 62

Copyright IBM Corp. 1996, 2018 iii

|||

Storing user-specific information in OMVS segments 64Automatically generating OMVS segments . . . 64

Security implications . . . . . . . . . . . 65Checking user and group authority . . . . . . 66Obtaining security information about groups . . . 67

Steps for obtaining security information about agroup . . . . . . . . . . . . . . . 67

Obtaining security information about users . . . . 67Steps for obtaining security information aboutusers . . . . . . . . . . . . . . . 67

Setting up field-level access for the OMVS segmentof a user profile . . . . . . . . . . . . . 68

Steps for setting up field-level access . . . . . 68Defining group identifiers (GIDs) . . . . . . 69Defining user identifiers (UIDs) . . . . . . 69

Defining protected user IDs . . . . . . . . . 71Defining the terminal group name. . . . . . . 71Managing user and group assignments . . . . . 71

Assigning UIDs and GIDs in an NFS network . . 71Assigning identifiers for users . . . . . . . 72Assigning identifiers for groups . . . . . . 72

Upper limits for GIDs and UIDs . . . . . . . 72Creating z/OS UNIX groups . . . . . . . . 73

Steps for creating z/OS UNIX groups . . . . 73Superusers in z/OS UNIX . . . . . . . . . 74Using UNIXPRIV class profiles . . . . . . . . 75

Assigning superuser privileges . . . . . . . 78Allowing z/OS UNIX users to change fileownerships . . . . . . . . . . . . . 79Allowing z/OS UNIX users to search directories 80

Using the BPX.SUPERUSER resource in theFACILITY class . . . . . . . . . . . . . 80

Steps for setting up BPX.SUPERUSER . . . . 80Deleting superuser authority . . . . . . . 81Changing a superuser from UID(0) to a uniquenonzero UID . . . . . . . . . . . . . 81Switching in and out of superuser authority . . 83

Assigning a UID of 0 . . . . . . . . . . . 84Setting up the UNIX-related FACILITY andSURROGAT class profiles . . . . . . . . . 85Security requirements for ServerPac and CBPDOinstallation . . . . . . . . . . . . . . 92

If you use uppercase group and user IDs . . . 93If you use mixed-case group and user IDs . . . 94If you have problems with names such as UUCP,UUCPG, and TTY . . . . . . . . . . . 94

Defining cataloged procedures to RACF . . . . . 95Controlling access to files and directories . . . . 96

Setting classes for a user's process . . . . . . 96Accessing files . . . . . . . . . . . . 97Changing the permission bits for a file . . . . 98Changing the owner or group for a file . . . . 98Creating a set-user-ID or set-group-ID executablefile . . . . . . . . . . . . . . . . 98Protecting data . . . . . . . . . . . . 99Obtaining security information for a file . . . . 99Creating a sticky bit file or external link for anMVS APF-authorized program . . . . . . 101

Using access control lists (ACLs) . . . . . . . 101ACLs and ACL entries . . . . . . . . . 102Managing ACLs . . . . . . . . . . . 102

Using security labels . . . . . . . . . . . 106Setting security labels on z/OS UNIX . . . . 107Symbolic link restrictions . . . . . . . . 107

Using multilevel security . . . . . . . . . 107Security labels for zFS files and directories . . 107

Auditing access to files and directories . . . . . 108Specifying file audit options . . . . . . . 108

Using sanction lists . . . . . . . . . . . 109Formatting rules for sanction lists . . . . . 109Steps for creating a sanction list . . . . . . 110Steps for activating the sanction list . . . . . 111

Maintaining the security level of the system . . . 113Steps for maintaining the security level of thesystem. . . . . . . . . . . . . . . 113

Controlling access to applications. . . . . . . 113Restricting access to z/OS UNIX file systems . . . 114

Using the FSACCESS class profile to restrictaccess . . . . . . . . . . . . . . . 115Restricting execute access in a zFS or TFS filesystem. . . . . . . . . . . . . . . 116

Setting up TCP/IP security . . . . . . . . . 116Selecting a security level for the system . . . . 116

Chapter 5. Managing the z/OS UNIXfile system . . . . . . . . . . . . 117Lists of subtasks . . . . . . . . . . . . 117Basics of the z/OS UNIX file system. . . . . . 117Structure of the z/OS UNIX file system . . . . 118

Command differences due to symbolic links . . 119Suggested file system structures for userdirectories and files . . . . . . . . . . 119

Using the Network File System (NFS) . . . . . 120Using the z/OS File System (zFS) . . . . . . 120

How does zFS differ from HFS? . . . . . . 121Implications of zFS ownership versus z/OSUNIX ownership of file systems . . . . . . 121Migrating t