s390-tools/s390-tools-zdsfs.caution.txt

20 lines
2.4 KiB
Plaintext
Raw Normal View History

* Upgrade s390-tools to version 2.34 (jsc#PED-3223,jsc#PED-9591) *** v2.34.0 * Changes of existing tools: - ap_tools/ap-check: Add support for vfio-ap dynamic configuration - dbginfo.sh: Update/Add additional DASD data collection - dumpconf: Add new parameter 'SCP_DATA' for SCSI/NVMe/ECKD dump devices - libutil: Make formatted meta-data configurable - s390-tools: Replace 'which' with built-in 'command -v' - zdump/dfi_elf: Support core dumps of vr-kernels * Bug Fixes: - chzdev: Fix warning about failed ATTR writes by udev - rust/pv: Try again if first CRL-URI is invalid - rust/pvattest: Add short option for --arpk - zdump: Fix 'zgetdump -i' ioctl error on s390 formatted dump file *** v2.33.1 * Bug Fixes: - s390-tools: Fix formatting and typos in README.md - s390-tools: Fix release string *** v2.33.0 * Add new tools / libraries: - chpstat: New tool for displaying channel path statistics - libutil: Add output format helpers(util_fmt: JSON, JSON-SEQ, CSV, text pairs) * Changes of existing tools / libraries: - chzdev: Add --is-owner to identify files created by zdev - dasdfmt: Change default mode to always use full-format (Note: affects ESE DASD) - libap: Significantly reduce delay time between file lock retries - pvattest: Rewrite from C to Rust - pvattest: Support additional data & user-data - rust/pv: Support for Attestation * Bug Fixes: - chreipl: Improve disk type detection when running under QEMU - dbginfo.sh: Use POSIX option with uname - s390-tools: Fix missing hyphen escapes in the man page for many tools - zipl/src: Fix bugs in disk_get_info() reproducible in corner cases *** v2.32.0 * Changes of existing tools: - cpumf/lscpumf: add support for machine type 3932 - genprotimg, pvattest, and pvsecret accept IBM signing key with Armonk as subject locality - zdump/zipl: Support for List-Directed dump from ECKD DASD - zkey: Detect FIPS mode and generate PBKDF for luksFormat according to it * Bug Fixes: - dbginfo.sh: dash compatible copy sequence - rust/pv_core: Fix UvDeviceInfo::get() method - zipl/src: Fix leak of files if run with a broken configuration - zkey: Fix convert command to accept only keys of type CCA-AESDATA * Revendored vendor.tar.gz * Removed obsolete patches - s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch - s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch - s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch - s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch - s390-tools-sles15sp6-genprotimg-makefile.patch OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=219
2024-08-20 10:44:18 +02:00
We strongly recommend that you get your z/OS support teams involved before installing this package.
The zdsfs command is a new feature provided by IBM with the s390-tools package in SLES12. The zdsfs command allows Linux systems to mount z/OS DASD volumes as a Linux file system. The zdsfs file system translates the z/OS data sets into Linux semantics.
Through the zdsfs file system, applications on Linux can read z/OS physical sequential data sets (PS) and partitioned data sets (PDS) on the DASD. If implemented improperly, or without the knowledge and cooperation of the systems programmers and information security professionals responsible for the z/OS system, the zdsfs command represents a potentially very serious security and data integrity exposure.
There are a number of factors to consider if you choose to install this package. A necessarily incomplete list of these would be:
- Through the zdsfs file system, whole DASD volumes are accessible to Linux
- This access is not controlled or detectable by any z/OS security or auditing mechanisms.
- This access is not controlled by any z/OS "locking" facility such as provided by ENQ, GRS, etc.
- To avoid data inconsistencies, ensure the DASD volumes are offline to z/OS before you mount them in Linux.
- To minimize security problems, you should dedicate the z/OS DASD volumes for the sole purpose of providing data to Linux.
- To share z/OS data with Linux, copy it to a dataset on that separate volume.
- Because the datasets will be accessed outside of z/OS, they will appear to have never been read after creation.
- You should ensure the datasets that Linux is to access are on a separate volume that is not used for automatic dataset allocation and that is not under System Managed Storage (SMS) control. This prevents dataset migration since they will appear to never be used (except when you update them), and it avoids unaudited access to datasets that are not intended for access by the Linux server.
- When running Linux native in an LPAR, ensure that the LPAR has access only to the specific z/OS volumes that contain the data to be accessed by Linux.
- By default, only the Linux user who mounts the zdsfs file system has access to it.
By confirming this caution, you are acknowledging that you are aware there are potential data security and integrity exposures involved in the use of this package, and that you want to install it anyway.