Perform the following steps to prevent users from using their SUPERUSER.FILESYS
authority to access file system resources they are specifically unauthorized
to access through the ACL:
- Define a resource called SUPERUSER.FILESYS.ACLOVERRIDE
in the UNIXPRIV class with UACC(NONE). To prevent all users, do not
permit any users or groups.
Example:
RDEFINE UNIXPRIV SUPERUSER.FILESYS.ACLOVERRIDE UACC(NONE)
______________________________________________________________________
- If needed, grant exceptions to certain users or groups
to allow them to gain access based on their SUPERUSER.FILESYS authority.
Add those users or groups to the access list with the same level of
access they require for the SUPERUSER.FILESYS resource.
Example:
PERMIT SUPERUSER.FILESYS.ACLOVERRIDE CLASS(UNIXPRIV) ID(PER) ACCESS(READ)
See
z/OS UNIX System Services Planning for
details about authorizing users for the SUPERUSER.FILESYS resource.
______________________________________________________________________
- Refresh the UNIXPRIV class to activate changes from Steps 1 and 2.
Example:
SETROPTS RACLIST(UNIXPRIV) REFRESH
______________________________________________________________________
SUPERUSER.FILESYS.ACLOVERRIDE is checked only when a user's access
was denied by a matching ACL entry based on the user's UID or one
of the user's GIDs. If the user's access was denied by the file's
permission bits, SUPERUSER.FILESYS is checked. See
Authorizing access to z/OS UNIX files and directories for details.