Allowing z/OS UNIX users to read or search directories
Sometimes z/OS UNIX administrators
need the ability to read and search all file system directories to
manage file ownerships and permissions. It is not necessary to give
such administrators RACF AUDITOR or ROAUDIT authority to provide this
ability when directory permission bits and access lists do not explicitly
allow access. Instead, you can define a UNIXPRIV profile covering
SUPERUSER.FILESYS.DIRSRCH to control such access. This permission
is complementary to administrator authorities provided by SUPERUSER.FILESYS.CHOWN
and SUPERUSER.FILESYS.CHANGEPERMS.
Note: Use caution when permitting
users to the DIRSRCH profile if you employ the strategy of protecting
files by disallowing user access to the parent directory. Users with
DIRSRCH profile permission can read and search all directories, their
access to files in all subdirectories is determined by the defined
file permissions and access lists.
DIRSRCH profile permission does NOT override FSACCESS file system or security label protection.
To allow z/OS UNIX users
to read and search all file system directories, regardless of file
permission bits or access lists, create a profile in the UNIXPRIV
class protecting a resource that is called SUPERUSER.FILESYS.DIRSRCH.
Then permit users and groups with at least READ access performing
the following steps.
- Define a profile in the UNIXPRIV class.Example:
RDEFINE UNIXPRIV SUPERUSER.FILESYS.DIRSRCH UACC(NONE) - Add the user or group to the access list with at least READ access.Example:
PERMIT SUPERUSER.FILESYS.DIRSRCH CLASS(UNIXPRIV) ID(USER01 GRPX) ACCESS(READ) - If the UNIXPRIV class is not already active, activate and RACLIST
it.Example:
SETROPTS CLASSACT(UNIXPRIV) RACLIST(UNIXPRIV) - If the UNIXPRIV class is already active and RACLISTed, refresh
it.Example:
SETROPTS RACLIST(UNIXPRIV) REFRESH
You have now given directory read and search permission to the specified users and groups.