Description:
As of z/OS V2R1 z/OS UNIX imposes a new restriction on certain sensitive types of executable files, namely, that the files be owned by UID(0). Generally, this is acceptable because the ability to change a file's owner is restricted to privileged users (those with UID 0 or with READ access to SUPERUSER.FILESYS.CHOWN in the UNIXPRIV class). However, the POSIX standard allows a user to change ownership of any file to another user or group.
RACF supports the POSIX standard with the CHOWN.UNRESTRICTED profile in the UNIXPRIV class. If the profile exists, the alternate POSIX implementation applies, and any user can transfer ownership of files to other users or groups.
This change requires at least UPDATE access to CHOWN.UNRESTRICTED in order to give a file that you own to UID(0). To give your file to a user with a UID other than 0, or to a group to which you are not connected, requires READ access.
Currently, CHOWN.UNRESTRICTED most likely has a universal access (UACC) of NONE. Some documented examples of creating this profile specify UACC(NONE) explicitly. Others do not, but the default UACC is NONE.
Although highly unusual, a client might have defined the profile with any UACC and might permit any number of users and groups with any access level. Thus, the most likely result of this change is a complete reversal of the recommended behavior of the profile, in that nobody will have the authority to change the owner of their files. On an individual basis, clients can permit specific users or groups to this profile in order to grant the original capability. Alternatively, they can simply change its UACC to READ, but IBM does NOT recommend this action
Element or feature: | Security Server. |
When change was introduced: | z/OS V2R1. z/OS V1R13 and z/OS V1R12, both with APAR OA41364. |
Applies to migration from: | z/OS V1R13 and z/OS V1R12, both without APAR OA41364. applied. |
Timing: | Before the first IPL of z/OS V2R1. |
Is the migration action required? | No, but recommended for system security. |
Target system hardware requirements: | None. |
Target system software requirements: | None. |
Other system (coexistence or fallback) requirements: | None. |
Restrictions: | None. |
System impacts: | None. |
Related IBM Health Checker for z/OS check: | None. |
RLIST UNIXPRIV CHOWN.UNRESTRICTED ALL
RDELETE UNIXRIV CHOWN.UNRESTRICTED SETROPTS RACLIST(UNIXPRIV) REFRESH
PERMIT CHOWN.UNRESTRICTED CLASS(UNIXPRIV) RESET
RALTER UNIXRIV CHOWN.UNRESTRICTED UACC(NONE)
SETROPTS RACLIST(UNIXPRIV) REFRESH
You can now permit users
and groups as appropriate for your installation. Note that CHOWN.UNRESTRICTED
must currently exist as a discrete profile. With the change from a
switch profile to an authorization profile, the requirement for it
to be discrete will continue to be enforced, so that inadvertent access
is not granted through an existing generic profile.