z/OS UNIX System Services Planning
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Using UNIXPRIV class profiles

z/OS UNIX System Services Planning
GA32-0884-00

You can define profiles in the UNIXPRIV class to grant RACF® authorization for certain z/OS UNIX privileges. By defining profiles in the UNIXPRIV class, you can specifically grant certain superuser privileges with a high degree of granularity to users who do not have superuser authority. This allows you to minimize the number of assignments of superuser authority at your installation and reduces your security risk.

Resource names in the UNIXPRIV class are associated with z/OS UNIX privileges. You must define profiles in the UNIXPRIV class protecting these resources in order to use RACF authorization to grant z/OS UNIX privileges. The UNIXPRIV class must be active and SETROPTS RACLIST must be in effect for the UNIXPRIV class. Global access checking is not used for authorization checking to UNIXPRIV resources.

Table 1 shows each resource name available in the UNIXPRIV class, the z/OS UNIX privilege associated with each resource, and the level of access required to grant the privilege.
Table 1. Resource names in the UNIXPRIV class for z/OS UNIX privileges
Resource name z/OS UNIX privilege Minimum access required
CHOWN.UNRESTRICTED1 Allows users to use the chown command to transfer ownership of their own files. None required
FILE.GROUPOWNER.SETGID Specifies that a directory's set-gid bit is used to determine the group owner of any new objects created within the directory. None required
RESTRICTED.FILESYS.ACCESS Specifies that RESTRICTED users cannot gain file access by virtue of the 'other ' permission bits. None required
Can be overridden for a specific user/group. READ
SHARED.IDS Allows users to assign UID and GID values that are not unique. READ
SUPERUSER.FILESYS.ACLOVERRIDE Specifies that ACL contents override the access that was granted by SUPERUSER.FILESYS. None required
Can be overridden for specific users or groups.

The user or group must have the same access that would be required to SUPERUSER.FILESYS while accessing the file.

See note.
SUPERUSER.FILESYS2 Allows user to read any local file, and to read or search any local directory. READ
Allows user to write to any local file, and includes privileges of READ access. UPDATE
Allows user to write to any local directory, and includes privileges of UPDATE access. CONTROL (or higher)
SUPERUSER.FILESYS.CHANGEPERMS Allows users to use the chmod command to change the permission bits of any file and to use the setfacl command to manage access control lists for any file. READ
SUPERUSER.FILESYS.CHOWN Allows user to use the chown command to change ownership of any file. READ
SUPERUSER.FILESYS.MOUNT Allows user to issue the TSO/E MOUNT command or the mount shell command with the nosetuid option. Also allows users to unmount a file system with the TSO/E UNMOUNT command or the unmount shell command mounted with the nosetuid option.

Users permitted to this profile can use the chmount shell command to change the mount attributes of a specified file system.

READ
Allows user to issue the TSO/E MOUNT command or the mount shell command with the setuid option. Also allows user to issue the TSO/E UNMOUNT command or the unmount shell command with the setuid option.

Users permitted to this profile can issue the chmount shell command on a file system that is mounted with the setuid option.

UPDATE
SUPERUSER.FILESYS.QUIESCE Allows user to issue quiesce and unquiesce commands for a file system mounted with the nosetuid option. READ
Allows user to issue quiesce and unquiesce commands for a file system mounted with the setuid option. UPDATE
SUPERUSER.FILESYS.PFSCTL Allows user to use the pfsctl() callable service. READ
SUPERUSER.FILESYS.USERMOUNT Allows nonprivileged users to mount and unmount file systems with the nosetuid option. READ
SUPERUSER.FILESYS.VREGISTER3 Allows a server to use the vreg() callable service to register as a VFS file server. READ
SUPERUSER.IPC.RMID Allows user to issue the ipcrm command to release IPC resources. READ
SUPERUSER.PROCESS.GETPSENT Allows user to use the w_getpsent() callable service to receive data for any process.

Allows users of the ps command to output information about all processes. This is the default behavior of ps on most UNIX platforms.

READ
SUPERUSER.PROCESS.KILL Allows user to use the kill() callable service to send signals to any process. READ
SUPERUSER.PROCESS.PTRACE4 Allows user to use the ptrace() callable service through the dbx debugger to trace any process. READ
SUPERUSER.SETPRIORITY Allows user to increase own priority. READ
SUPERUSER.SHMMCV.LIMITS Allows the user to create up to 4,194,304 mutexes or condition variables to be associated with a single shared memory segment. The overall system total of mutexes and condition variables for authorized users must be less than 134,217,729. When authorized applications create the maximum number of mutexes and condition variables, the system requires significantly more auxiliary storage to be available. System dumps that include the OMVS address space also require larger dump data sets to contain the increased size of that address space. It is unlikely that applications will create the maximum number of structures allowed. If the maximum number is created, the increase in auxiliary storage and dump data set size is roughly 350 gigabytes. READ
Note:
  1. See Steps for setting up the CHOWN.UNRESTRICTED profile.
  2. Authorization to the SUPERUSER.FILESYS resource provides privileges to access only local files. No authorization to access Network File System (NFS) files is provided by access to this resource.
  3. The SUPERUSER.FILESYS.VREGISTER resource only lets a server such as NFS initialize. Users who are connected as clients through facilities such as NFS do not get special privileges based on this resource or other resources in the UNIXPRIV class.
  4. Authorization to the BPX.DEBUG resource is also required to trace processes that run with APF authority or BPX.SERVER authority.

Tip: If you are debugging a daemon, use the SUPERUSER.PROCESS.GETPSENT, SUPERUSER.PROCESS.KILL, and SUPERUSER.PROCESS.PTRACE privileges.

Go to the previous page Go to the next page




Copyright IBM Corporation 1990, 2014