CHOWN.UNRESTRICTED1 |
Allows users to
use the chown command to transfer ownership of their
own files. |
None required |
FILE.GROUPOWNER.SETGID |
Specifies that a directory's set-gid bit
is used to determine the group owner of any new objects created within
the directory. |
None required |
RESTRICTED.FILESYS.ACCESS |
Specifies that RESTRICTED users cannot gain
file access by virtue of the 'other ' permission bits. |
None required |
Can be overridden for a specific user/group. |
READ |
SHARED.IDS |
Allows users to assign UID and GID values
that are not unique. |
READ |
SUPERUSER.FILESYS.ACLOVERRIDE |
Specifies that ACL contents override the
access that was granted by SUPERUSER.FILESYS. |
None required |
Can be overridden for specific users or
groups. The user or group must have the same access that would
be required to SUPERUSER.FILESYS while accessing the file.
|
See note. |
SUPERUSER.FILESYS2 |
Allows user to read any local file,
and to read or search any local directory. |
READ |
Allows user to write to any local
file, and includes privileges of READ access. |
UPDATE |
Allows user to write to any local
directory, and includes privileges of UPDATE access. |
CONTROL (or higher) |
SUPERUSER.FILESYS.CHANGEPERMS |
Allows users to use the chmod command
to change the permission bits of any file and to use the setfacl command
to manage access control lists for any file. |
READ |
SUPERUSER.FILESYS.CHOWN |
Allows user to use the chown command
to change ownership of any file. |
READ |
SUPERUSER.FILESYS.MOUNT |
Allows user to issue the TSO/E MOUNT
command or the mount shell command with the nosetuid
option. Also allows users to unmount a file system with the TSO/E
UNMOUNT command or the unmount shell command mounted with
the nosetuid option. Users permitted to this profile can
use the chmount shell command to change the mount
attributes of a specified file system.
|
READ |
Allows user to issue the TSO/E MOUNT
command or the mount shell command with the setuid
option. Also allows user to issue the TSO/E UNMOUNT command or the unmount shell
command with the setuid option. Users permitted to this
profile can issue the chmount shell command on a
file system that is mounted with the setuid option.
|
UPDATE |
SUPERUSER.FILESYS.QUIESCE |
Allows user to issue quiesce and unquiesce commands
for a file system mounted with the nosetuid option. |
READ |
Allows user to issue quiesce and unquiesce commands
for a file system mounted with the setuid option. |
UPDATE |
SUPERUSER.FILESYS.PFSCTL |
Allows user to use the pfsctl() callable
service. |
READ |
SUPERUSER.FILESYS.USERMOUNT |
Allows nonprivileged users to mount and
unmount file systems with the nosetuid option. |
READ |
SUPERUSER.FILESYS.VREGISTER3 |
Allows a server to use the vreg()
callable service to register as a VFS file server. |
READ |
SUPERUSER.IPC.RMID |
Allows user to issue the ipcrm command
to release IPC resources. |
READ |
SUPERUSER.PROCESS.GETPSENT |
Allows user to use the w_getpsent()
callable service to receive data for any process. Allows users of
the ps command to output information about all processes.
This is the default behavior of ps on most UNIX platforms.
|
READ |
SUPERUSER.PROCESS.KILL |
Allows user to use the kill() callable
service to send signals to any process. |
READ |
SUPERUSER.PROCESS.PTRACE4 |
Allows user to use the ptrace() callable
service through the dbx debugger to trace any process. |
READ |
SUPERUSER.SETPRIORITY |
Allows user to increase own priority. |
READ |
SUPERUSER.SHMMCV.LIMITS |
Allows the user to create up to 4,194,304 mutexes or condition variables to be associated
with a single shared memory segment. The overall system total of mutexes
and condition variables for authorized users must be less than 134,217,729. When
authorized applications create the maximum number of mutexes and condition
variables, the system requires significantly more auxiliary storage
to be available. System dumps that include the OMVS address space
also require larger dump data sets to contain the increased size of
that address space. It is unlikely that applications will create
the maximum number of structures allowed. If the maximum number is
created, the increase in auxiliary storage and dump data set size
is roughly 350 gigabytes. |
READ |
Note: - See Steps for setting up the CHOWN.UNRESTRICTED profile.
- Authorization to the SUPERUSER.FILESYS resource
provides privileges to access only local files. No authorization to
access Network File System (NFS) files is provided by access to this
resource.
- The SUPERUSER.FILESYS.VREGISTER resource only lets
a server such as NFS initialize. Users who are connected as clients
through facilities such as NFS do not get special privileges based
on this resource or other resources in the UNIXPRIV class.
- Authorization to the BPX.DEBUG resource is also
required to trace processes that run with APF authority or BPX.SERVER
authority.
|