|
To perform authorization checking for z/OS UNIX files and
directories, RACF® makes the
following checks. RACF stops
processing when the request is granted or denied.
Notes®: - The effective UID and effective GID of the process is used in
determining access decisions. The only exception is that when CREDFUNCTION is AFC_ACCESS,
the real UID and real GID are used. In other words, if file access
is being tested, rather than requested, the real UID and GID are used
instead of the effective UID and GID. The real and effective IDs are
generally the same for a process, but if a set-uid or set-gid program
is executed, they can be different.
- If the requesting user is represented by an unauthenticated client
ACEE, then Steps 2–28 are performed first for the client,
and then, if successful, for the server. Both client and server must
have access to the file in order for the request to succeed.
- The SAF callable services router exit (IRRSXT00) can
grant or deny access before RACF authorization
processing occurs.
- If the system (kernel) is the caller, then access is
failed if either of the following conditions occurs:
- The request includes execute authority for a file and execute
authority cannot be granted. In this condition, none of the permissions
bits grant execute access, and, if an ACL is present and the FSSEC
class is active, no ACL entry grants execute access.
- Security label authorization checking fails. In this condition,
the SECLABEL class is active, the object being accessed is a directory,
the directory's SECLABEL is not SYSMULTI, and the CRED contains a
SECLABEL.
Otherwise, access is granted.
- RACF checks
for a profile in the FSACCESS class that covers the file system name
when all of the following conditions are met:
- The user does not have the AUDITOR attribute.
- A file system name was specified in the CRED.
- The FSACCESS class is active and RACLISTed.
If a matching profile is found and the user does not have at
least UPDATE authority, access is denied. Otherwise, access checking
continues.
- If the SECLABEL class is not active, then go to Step 15.
- If the user has the TRUSTED or PRIVILEGED attribute,
then access is granted automatically unless the user is executing
a file. If the user is executing a file, access is denied only if
none of the permissions bits grant execute access, and, if an ACL
is present and the FSSEC class is active, no ACL entry grants execute
access. Otherwise, access is granted.
- If the user has the RACF AUDITOR
attribute, and has read or search access for a directory is requested,
access is granted.
- If SETROPTS MLFSOBJ is active and the file does not
have a security label, the request is failed.
- If SETROPTS MLS is active (either in WARNING or FAILURES
mode) and all of the following conditions occur, the request is failed.
- The user has a security label.
- The file has no security label.
- The user explicitly requested write access but is not in writedown
mode.
Note: The SETROPTS MLS(WARNING) option is not supported
for UNIX files and directories,
and it is treated the same as MLS(FAILURES).
- If the file has a security label but the user does
not, then the request is failed.
- If the user's security label is equivalent to the security
label of the file (this condition is also satisfied if either security
label is SYSMULTI), then continue at Step 16.
- If ANY access is requested, then two security label
dominance checks (RACROUTE REQUEST=DIRAUTH) are performed: one for
READ and one for WRITE. If either succeeds, then continue at Step 16. Otherwise, the request is failed.
- If the user is requesting write access along with read
or search/execute access, then a READWRITE dominance check is performed.
If it succeeds, then continue at Step 16.
Otherwise, the request is failed.
- If the user is requesting only read or search/execute
access, then a READ dominance check is performed. If it succeeds,
then continue at Step 16. Otherwise,
the request is failed.
- If the user is requesting only write access, then a
WRITE dominance check is performed. If it succeeds, then continue
at Step 16. Otherwise, the request
is failed.
- If the user has the RACF AUDITOR
attribute, and read or search access for a directory is requested,
access is granted.
- If the user has UID(0), then access is granted automatically
unless the user is executing a file. If the user is executing a file,
access is denied only if none of the permissions bits grant execute
access, and, if an ACL is present and the FSSEC class is active, no
ACL entry grants execute access. Otherwise, access is granted.
- If the UID matches the file owner UID, the file's "owner"
permission bits are checked. If the "owner" bits allow the requested
access, then access is granted. Otherwise, go to Step 27.
- If the FSSEC class is active, and an ACL exists, and
there is an ACL entry for the requesting UID, then the permission
bits of that ACL entry are checked. If the ACL entry allows the requested
access, then access is granted. Otherwise, go to Step 26.
- If the GID matches the file owner GID, the file's "group"
permission bits are checked. If the "group" bits allow the requested
access, then access is granted.
- If the FSSEC class is active, and an ACL exists, and
there is an ACL entry for the requesting GID, then the permission
bits of that ACL entry are checked. If the ACL entry allows the requested
access, then access is granted. If not, then the next ACL entry is
checked until there are no more entries.
- If any of the user's supplemental GIDs match the file
owner GID, the file's "group" permission bits are checked. If the
"group" bits allow the requested access, then access is granted.
- If the FSSEC class is active, and an ACL exists, and
there is an ACL entry for any of the user's supplemental GIDs, then
the permission bits of that ACL entry are checked. If the ACL entry
allows the requested access, then access is granted. If not, then
the next ACL entry is checked until there are no more entries.
- If at least one matching ACL entry was found for the
GID, or any of the supplemental GIDs, then processing continues with
Step 26. If the GID, or any of the
supplemental GIDs, matched the file owner GID, then processing continues
with Step 27. Otherwise (neither
the GID nor any of the supplemental GIDs matched either the file owner
GID or an ACL entry), processing continues with the next step.
- If the requesting user has the RESTRICTED attribute,
and the UNIXPRIV class is active and RACLISTed, and the RESTRICTED.FILESYS.ACCESS
resource is protected by a profile in the UNIXPRIV class, and the
user does not have at least READ access, then go to Step 27.
- The file's "other" permission bits are checked. If
the "other" bits allow the requested access, then access is granted.
Otherwise, go to Step 27.
- If the UNIXPRIV class is active and RACLISTed, and
if the SUPERUSER.FILESYS.ACLOVERRIDE resource is protected by a profile
in the UNIXPRIV class, then the user must have the correct access
level as documented for the ck_access (IRRSKA00)
callable service in z/OS Security Server RACF Callable Services.
If the profile exists, it determines whether file access is granted
or denied.
- If the UNIXPRIV class is active and RACLISTed, and
if the SUPERUSER.FILESYS resource is protected by a profile in the
UNIXPRIV class, then the user must have the correct access level as
documented for the ck_access (IRRSKA00) callable
service in z/OS Security Server RACF Callable Services.
If the profile exists, it determines whether file access is granted
or denied.
- Access is denied.
- The SAF callable services router exit (IRRSXT00) can
grant or deny access after RACF authorization
processing occurs.
|