There are several ways to restrict user and group access to z/OS® UNIX file
systems.
- A z/OS UNIX administrator
can control access to file systems at their mount points by using
the setfacl command to create, modify, and delete
ACLs for specific users and groups.
- At a higher level, the security administrator can
choose to restrict access to the z/OS UNIX file system
for all authorization checks that involve mount point traversal. The
check is performed at every mount point crossover to see if the user
or group has authority to access the file system. Only those who have
been given permission to covering RACF® resource
profiles are eligible for access. Access to objects within the file
systems are subject to the superuser, owner, permission bit, ACL,
and UNIXPRIV rules. Users designated as RACF auditors
are exempt from this restriction. This check, which is optional, uses
the RACF FSACCESS class profile
to validate the authority of users or groups who are accessing the z/OS UNIX file system,
as described in Using the FSACCESS class profile to restrict access.
Restrictions: These restrictions apply:
- This additional access check using the FSACCESS class profile
is only supported on zFS file systems
- For z/OS UNIX,
zFS file systems that are mounted with the NOSECURITY option are
not subject to this access control check.
- The root file system is excluded from this access restriction.
- A given zFs file system can be protected from the whole NFS network
by not permitting the NFS Server's MVS™ UserID
to the FSACCESS class profile for that specific zFS file system. Note
that when the NFS Server is configured with Security(SAF) or Security(SAFEXP),
the NFS Client remote MVS UserID
might also need to be permitted to the FSACCESS class profile to avoid
unexpected failures.