Using UNIXPRIV class profiles

You can define profiles in the UNIXPRIV class to grant RACF® authorization for certain z/OS UNIX privileges. By defining profiles in the UNIXPRIV class, you can specifically grant certain superuser privileges with a high degree of granularity to users who do not have superuser authority. This way, you can minimize the number of assignments of superuser authority at your installation and reduces your security risk.

Resource names in the UNIXPRIV class are associated with z/OS UNIX privileges. You must define profiles in the UNIXPRIV class protecting these resources in order to use RACF authorization to grant z/OS UNIX privileges. The UNIXPRIV class must be active and SETROPTS RACLIST must be in effect for the UNIXPRIV class. Global access checking is not used for authorization checking to UNIXPRIV resources.

Table 1 shows each resource name available in the UNIXPRIV class, the z/OS UNIX privilege that is associated with each resource, and the level of access that is required to grant the privilege.
Table 1. Resource names in the UNIXPRIV class for z/OS UNIX privileges
Resource name z/OS UNIX privilege and required minimum access
CHOWN.UNRESTRICTED Allows users to use the chown command to transfer ownership of their own files. No minimum access is required.

See Steps for setting up the CHOWN.UNRESTRICTED profile.
CONTAINERS Allows the user to perform container-related functions. Functions include:
  • Start of changeAssigning values to the _BPX_CONTAINER_POD_ID, _BPX_CONTAINER_ID, and _BPX_CONTAINER_QUAL environment variables. End of change
  • Start of changeCreating namespaces and altering process namespace affiliations using the clone, unshare, and setns callable services. End of change
  • Start of changeIssuing bind mounts and mounting union file systems within a container from a program-controlled address space. End of change
The minimum required access is READ.
RESTRICTED.FILESYS.ACCESS Specifies that RESTRICTED users cannot gain file access by virtue of the other permission bits.

To override it for a specific user or group, the required minimum required access is READ.
SHARED.IDS Allows users to assign UID and GID values that are not unique. The minimum required access is READ.
SUPERUSER.FILESYS.ACLOVERRIDE Specifies that ACL contents override the access that was granted by SUPERUSER.FILESYS. No minimum access is required.

It can be overridden for specific users or groups. The user or group must have the same access that would be required to SUPERUSER.FILESYS while accessing the file.
SUPERUSER.FILESYS To allow the user to read any local file, and to read or search any local directory, the minimum required access is READ.

To allow the user to write to any local file, and includes privileges of READ access, the minimum required access is UPDATE.

To allow the user to write to any local directory, and includes privileges of UPDATE access, the minimum required access is CONTROL or higher.

Authorization to the SUPERUSER.FILESYS resource provides privileges to access only local files. No authorization to access Network File System (NFS) files is provided by access to this resource.

READ, UPDATE, and CONTROL (or higher) does not grant permission to update extended attributes of files. This is not equivalent to being a superuser.
SUPERUSER.FILESYS.CHANGEPERMS Allows users to use the chmod command to change the permission bits of any file and to use the setfacl command to manage access control lists for any file. The minimum required access is READ.
SUPERUSER.FILESYS.CHOWN Allows users to use the chown command to change ownership of any file. The required minimum access is READ.
SUPERUSER.FILESYS.DIRSRCH Allows users to read and search any local directories.  The required minimum access is READ.
SUPERUSER.FILESYS.MOUNT
  • With the nosetuid option, allows user to issue the TSO/E MOUNT command or the mount shell command. Also allows users to unmount a file system with the TSO/E UNMOUNT command or the unmount shell command that is mounted with the nosetuid option.

    Users who are permitted to this profile can use the chmount shell command to change the mount attributes of a specified file system.

    The minimum required access is READ.

  • With the setuid option, allows user to issue the TSO/E MOUNT command or the mount shell command with the setuid option. Also allows user to issue the TSO/E UNMOUNT command or the unmount shell command.

    Users who are permitted to this profile can issue the chmount shell command on a file system that is mounted with the setuid option.

    The minimum required access is UPDATE.
SUPERUSER.FILESYS.QUIESCE To allow the user to issue quiesce and unquiesce commands for a file system that is mounted with the nosetuid option, the minimum required access is READ.

To allow the user to issue quiesce and unquiesce commands for a file system that is mounted with the setuid option, the minimum required access is UPDATE.

SUPERUSER.FILESYS.PFSCTL

For more information about the pfsctl callable service, see pfsctl (BPX1PCT, BPX4PCT) — Physical file system control in z/OS UNIX System Services Programming: Assembler Callable Services Reference.

For information about the zFS-specific pfsctl functions, see pfsctl (BPX1PCT) in z/OS File System Administration.

For detailed information about the use of pfsctl, see Using pfsctl (BPX1PCT) physical file system for z/OS UNIX in z/OS® DFSMSdfp Advanced Services.
SUPERUSER.FILESYS.USERMOUNT
  • With the nosetuid option, allows nonprivileged users to mount and unmount file systems. The minimum required access is READ.
  • With the setuid option, allows nonprivileged users to mount and unmount file systems. The minimum required access is UPDATE.
SUPERUSER.FILESYS.VREGISTER Allows a server to use the vreg() callable service to register as a VFS file server. The minimum required access is READ.

The SUPERUSER.FILESYS.VREGISTER resource only allows a server such as NFS initialization. Users who are connected as clients through facilities such as NFS do not get special privileges based on this resource or other resources in the UNIXPRIV class.
SUPERUSER.IPC.RMID Allows user to issue the ipcrm command to release any IPC resources. The minimum required access is READ.
SUPERUSER.PROCESS.GETPSENT Allows user to use the w_getpsent() callable service to receive data for any process.

Also allows users of the ps command to output information about all processes. This action is the default behavior of ps on most UNIXUNIX platforms.

The minimum required access is READ.
SUPERUSER.PROCESS.KILL Allows user to use the kill() callable service to send signals to any process. The minimum required access is READ.
SUPERUSER.PROCESS.PTRACE Allows user to use the ptrace() callable service through the dbx debugger to trace any process. The minimum required access is READ.

Authorization to the BPX.DEBUG resource is also required to trace processes that run with APF authority or BPX.SERVER authority.

SUPERUSER.SETPRIORITY Allows user to increase own priority. The minimum required access is READ.
SUPERUSER.SHMMCV.LIMIT Allows the user to create up to 4,194,304 mutexes or condition variables to be associated with a single shared memory segment. The overall system total of mutexes and condition variables for authorized users must be less than 134,217,729. When authorized applications create the maximum number of mutexes and condition variables, the system requires more auxiliary storage to be available. System dumps that include the OMVS address space also require larger dump data sets to contain the increased size of that address space. It is unlikely that applications will create the maximum number of structures allowed. If the maximum number is created, the increase in auxiliary storage and dump data set size is roughly 350 gigabytes.

The minimum required access is READ.
If you are debugging a daemon, use the SUPERUSER.PROCESS.GETPSENT, SUPERUSER.PROCESS.KILL, and SUPERUSER.PROCESS.PTRACE privileges.