z/OS UNIX System Services Planning
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Nonprivileged mount and unmount authority

z/OS UNIX System Services Planning
GA32-0884-00

Nonprivileged users must meet certain requirements before they can mount z/OS® UNIX file systems. They must have the following access permissions:
  • Read access to SUPERUSER.FILESYS.USERMOUNT profile. The SUPERUSER.FILESYS.USERMOUNT resource name in the UNIXPRIV class allows nonprivileged users to mount and unmount file systems with the nosetuid option.
  • Read-write-execute (rwx) access to the directory that the file system will be mounted on.
  • Read-write-execute (rwx) access to the file system root.

    If the file system being mounted is an NFS client file system or if the mount point directory is in an NFS client file system, the access check is sent to the NFS server and the user must be permitted to the directory by that server. For a z/OS NFS server, this means that the user might have to be in the server's export list or the user might have to do an MVSLOGIN.

    If the file system being mounted is an NFS remote file system, or if the mount point directory is in an NFS remote file system, the access check is sent to the server for processing. In order for the access check to succeed, the user must have already been permitted to the root or mount point directory, respectively, at that remote server. For a z/OS NFS server, this is controlled by the server's site security attribute. The user may have to be listed in the server's export data set, or may have to issue an mvslogin command to log in to the remote z/OS NFS server, before issuing the mount command.

In addition, the directory that the file system is to be mounted on must be an empty directory. If it has the sticky bit on, the user must be the owner of that directory. If the mount point directory is in a remote type file system (for example, NFS), then the owner UID of the mount point directory must match the UID of the user. If the file system root has the sticky bit on, the user must be the owner of the root. For remote type file systems (for example, NFS), the owner UID of the file system root must match the UID of the user.

To unmount file systems, the nonprivileged user must have read access to SUPERUSER.FILESYS.USERMOUNT profile. The file to be unmounted must have been mounted by that nonprivileged user. The nonprivileged user must also still have access to the file system root and if the sticky bit is on, must still be the owner.

When a nonprivileged user mount fails, message BPXF084I is issued to the hardcopy log.

Use the MAXUSERMOUNTSYS and MAXUSERMOUNTUSER statements in the BPXPRMxx parmlib member to specify mount limits for nonprivileged users.
  • MAXUSERMOUNTSYS is the maximum number of nonprivileged user mounts for the system or for the shared file system configuration.
  • MAXUSERMOUNTUSER is the maximum number of nonprivileged user mounts for each nonprivileged user in the system or in the shared file system configuration.

The most recent specification is used for each system that is participating in a shared file system configuration. To set these values, you must specify them in the BPXPRMxx parmlib member. You can use the SETOMVS or SET OMVS command later to dynamically increase or decrease each of them. However, dynamically changing the values does not affect currently mounted file systems. If you want to use nonprivileged user mounts, you must ensure that MAXUSERMOUNTSYS and MAXUSERMOUNTUSER are both nonzero.

If a value for MAXUSERMOUNTSYS or MAXUSERMOUNTUSER is not specified in BPXPRMxx, the system uses the default value for them. For a single system, the default value is 0. For the first IPLed system in the shared file system configuration, the default value is 0. For a subsequently IPLed system in the shared file system configuration, the default value is what other systems have at the time when the subsequent system is being IPLed.

Restrictions: A list of restrictions is provided:
  1. The file system type must be HFS, ZFS, or NFS.
  2. The SYSNAME option, which specifies the name of the system to be mounted on, is not supported.
  3. The use of /// as a placeholder in the file system name is not supported.
  4. Nonprivileged users cannot use the /usr/sbin/chmount function.
  5. Nonprivileged users cannot use the remount function.
  6. Nonprivileged user mount is a nosetuid mount. The SETUID option is not allowed.
  7. Nonprivileged user mount is a security mount. The NOSECURITY option is not allowed.
  8. The mount operation fails if either MAXUSERMOUNTSYS or MAXUSERMOUNTUSER is exceeded.
  9. The BPX1MNT callable service is not supported for the user mount.
  10. Mounting on a non-empty mount point is not allowed regardless of the NONEMPTYMOUNTPT settings
  11. Errors from the security restriction are not recorded in the mount failure database. Use unique return codes and reason codes to identify the problem along with the audit failures.
  12. The automount facility must be running in order to mount HSM-migrated file systems.
Parent topic: Mounting file systems

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014