Determine whether you define CHOWN.UNRESTRICTED in the UNIXPRIV class.

Description:

As of z/OS V2R1 z/OS UNIX imposes a new restriction on certain sensitive types of executable files, namely, that the files be owned by UID(0). Generally, this is acceptable because the ability to change a file's owner is restricted to privileged users (those with UID 0 or with READ access to SUPERUSER.FILESYS.CHOWN in the UNIXPRIV class). However, the POSIX standard allows a user to change ownership of any file to another user or group.

RACF supports the POSIX standard with the CHOWN.UNRESTRICTED profile in the UNIXPRIV class. If the profile exists, the alternate POSIX implementation applies, and any user can transfer ownership of files to other users or groups.

This change requires at least UPDATE access to CHOWN.UNRESTRICTED in order to give a file that you own to UID(0). To give your file to a user with a UID other than 0, or to a group to which you are not connected, requires READ access.

Currently, CHOWN.UNRESTRICTED most likely has a universal access (UACC) of NONE. Some documented examples of creating this profile specify UACC(NONE) explicitly. Others do not, but the default UACC is NONE.

Although highly unusual, a client might have defined the profile with any UACC and might permit any number of users and groups with any access level. Thus, the most likely result of this change is a complete reversal of the recommended behavior of the profile, in that nobody will have the authority to change the owner of their files. On an individual basis, clients can permit specific users or groups to this profile in order to grant the original capability. Alternatively, they can simply change its UACC to READ, but IBM does NOT recommend this action

Element or feature:

Security Server.

When change was introduced:

z/OS V2R1. z/OS V1R13 and z/OS V1R12, both with APAR OA41364.

Applies to migration from:

z/OS V1R13 and z/OS V1R12, both without APAR OA41364. applied.

Timing:

Before the first IPL of z/OS V2R1.

Is the migration action required?

No, but recommended for system security.

Target system hardware requirements:

None.

Target system software requirements:

None.

Other system (coexistence or fallback) requirements:

None.

Restrictions:

None.

System impacts:

None.

Related IBM Health Checker for z/OS check:

None.

Steps to take: Follow these steps:

Check that the profile for CHOWN.UNRESTRICTED in the UNIXPRIV class is defined as discrete by using the following command:
```
RLIST UNIXPRIV CHOWN.UNRESTRICTED ALL
```
If this profile does not exist, there is nothing more that you need to do.
If the profile does exist, the recommendation is to delete it by issuing the following command:
```
RDELETE UNIXRIV CHOWN.UNRESTRICTED  SETROPTS RACLIST(UNIXPRIV) REFRESH
```

If you have users with a genuine need to change file owners, they can request that a privileged user do this for them. If you trust a user enough to preserve their ability to perform this action, you can permit such a user, or group of users to CHOWN.UNRESTRICTED in order to restore the ability they previously had. Before doing so, verify that the profile does not currently allow any inadvertent access by making sure the UACC value is NONE, and that there are no entries on the access list. To do that issue the following commands:

PERMIT CHOWN.UNRESTRICTED CLASS(UNIXPRIV) RESET  
RALTER UNIXRIV CHOWN.UNRESTRICTED UACC(NONE)  
SETROPTS RACLIST(UNIXPRIV) REFRESH

You can now permit users and groups as appropriate for your installation. Note that CHOWN.UNRESTRICTED must currently exist as a discrete profile. With the change from a switch profile to an authorization profile, the requirement for it to be discrete will continue to be enforced, so that inadvertent access is not granted through an existing generic profile.

Reference information: See the following information: