[3999] in WWW Security List Archive
OS/390 and WWW -Reply
daemon@ATHENA.MIT.EDU (Gregg Berg)
Thu Jan 16 15:39:08 1997
Date: Thu, 16 Jan 1997 09:38:48 -0800
From: Gregg Berg <GBERG@BOOLE.COM>
To: www-security@ns2.rutgers.edu, arjan@pino.demon.nl
Errors-To: owner-www-security@ns2.rutgers.edu
>>> Arjan Vos <arjan@pino.demon.nl> 01/14/97 04:22pm >>>
> Just some questions popping into my mind:
> IBM is now offering OS/390 with spec1170-complient UNIX intergrated and
> TCP/IP etc. As far I can see IBM's main goal is to offer "open
> computing" to their exisiting clients with (huge) corporate databases
> (formerly) under MVS. Though UNIX is integrated, all security-related
> measures are still being done under RACF or ACF or whatsoever.
> But, why would one want their corporate datatabes connected to the Net? It
> is now possible to query DB2 databases, like in UNIX they've been doing
> with Oracle databases since ages :-))
Because their customers have requested/demanded that IBM provide open solutions
to obtaining corporate data.
Yep, DB2 will now be available for the whole enterprise.
> As far as I can see, one would not want to place corporate databases, or
> high-transactional online systems on the Internet in the first place....
What about INTRANET. Customers want enterprise wide access to all their
corporate data across all there platforms. To place the Mainframe as the
premier server in the enterprise it needs to support the software
that clients are used to in the UN*X world (ie. SOM/DSOM, NFS, TCP/IP,
EMAIL, etc.).
> What about security, e.g. SYN floods or bombing... How will they be
> handled under OS/390.
The way most comercial accounts currently handle such things. Backups,
multiple data centers, DB logging, etc.
> Is it possible to abuse PSW=0 states with networking interfaces under
> OS/390 (I know that root under UNIX still has it's own address space and
> protection by RACF)?
There is no similar concept as root in MVS but I believe MVS/OE (open edition)
has a root for administration of the Open edition stuff. In MVS RACF is
queried
whan a non-authorized address space trys to perform a sensative function such
as
accessing secured files, running secured applications, etc. If your program
can
get into a system key 0-7 then security is all but non-existant (ie. you can
circumvent RACF if you know what you are doing).
NOTE, getting to a system key require your program to be APF authorized and in
an APF authorized library which in most shops are tightly secured and usually
require some sort of change control to update them.
> How about cross-memory stuff within Unix under OS/390?
Since MVS is the Kernel for Open Edition you would again somehow have to
get into a system key to circumvent RACF protection and then only if you
know what you are doing.
> Does anybody know about possible weaknesses?
IBM has alway accepted and treated security weaknesses as high priority
problems.
> Arjan Vos
Gregg Berg
Sr. Software Developer
Boole & Babbage, Inc.
