T 5.118 Obtaining high level rights in the RACF by unauthorised means

If a user manages to increase his/her rights in the z/OS security system, RACF, in certain circumstances this user will be able to access files without authorisation and tamper with the system.

Trace in the network

With a so-called trace (interception of the network traffic) on the TCP/IP or TPX protocols, an attacker may be able to obtain the ID and password of a user with special rights, depending on the protection in the network. Using this knowledge, the attacker will be able to increase his/her own authorisations and even assign the special rights to his/her own ID.

APF, SVC

Two further possible ways to obtain higher level authorisations as a user in the z/OS system are the APF (Authorized Programming Facility) and the SVCs (SuperVisor Calls).

If the user manages to place programs in APF-authorised files, or the user manages to install SVCs, then in this way he/she can obtain special or operations rights (tampering with his own ACEE control block). Although these may only be available temporarily for the related session, the program can be run time and again.

Accumulated rights

A further threat are the so-called accumulated rights due to inadequate authorisation management. Here the following scenario is typical:

A user changes to a new post. The user receives the rights as necessary for the new post without the deletion of the old rights. In this way over a long period the user accumulates rights that are much wider than the authorisations actually required.

Example:

• Specialist knowledge in the z/OS environment is not widespread. As a consequence, z/OS consultants were employed in an organisation over a long period of time and accumulated rights. An administrator noticed this situation by chance when the authorisation concept for the organisation was under complete revision.