Restricting execute access in a zFS or TFS file system

You can prevent users from executing any file in a z/OS® File System (zFS) file system or Temporary File System (TFS) by defining a general resource profile in the FSEXEC class. This enables you to use RACF® commands to restrict z/OS UNIX access to the specified file system for most users while allowing selected users and groups to remain eligible for execute access. This method supports an improved audit posture by enabling the RACF administrator to demonstrate a single point of control for restricting execute access to one or more file systems that might contain authorized code, or code of unknown origin.

When a file system is protected by an FSEXEC profile with UACC(NONE), only users and groups with UPDATE access authority or higher are eligible for execute file access. Eligible users are then subject to the usual authorization checking, which includes checking for superuser authority, ownership, permission bits, access control lists (ACLs), and UNIXPRIV authorities.

Note: FSEXEC restriction does not apply to file systems mounted with the '-s nosecurity' option.

When a file system is protected by an FSEXEC profile and a user has insufficient access authority to it, RACF denies file execution access regardless of other user authorizations. Superuser, auditor, or read-only auditor privilege does not override FSEXEC denial of access.