Using UNIXPRIV class profiles
You can define profiles in the UNIXPRIV class to grant RACF® authorization for certain z/OS UNIX privileges. By defining profiles in the UNIXPRIV class, you can specifically grant certain superuser privileges with a high degree of granularity to users who do not have superuser authority. This way, you can minimize the number of assignments of superuser authority at your installation and reduces your security risk.
Resource names in the UNIXPRIV class are associated with z/OS UNIX privileges. You must define profiles in the UNIXPRIV class protecting these resources in order to use RACF authorization to grant z/OS UNIX privileges. The UNIXPRIV class must be active and SETROPTS RACLIST must be in effect for the UNIXPRIV class. Global access checking is not used for authorization checking to UNIXPRIV resources.
Resource name | z/OS UNIX privilege and required minimum access. |
---|---|
CHOWN.UNRESTRICTED | Allows users to use the chown command to transfer ownership of their own files. No minimum access is required. |
FILE.GROUPOWNER.SETGID | Specifies that a directory's set-gid bit is used to determine the group owner of any new objects that are created within the directory. No minimum access is required. |
RESTRICTED.FILESYS.ACCESS | Specifies that RESTRICTED users cannot gain file access by virtue of the
other permission bits.To override it for a specific user or group, the required minimum required access is READ. |
SHARED.IDS | Allows users to assign UID and GID values that are not unique. The minimum required access is READ. |
SUPERUSER.FILESYS.ACLOVERRIDE | Specifies that ACL contents override the access that was granted by
SUPERUSER.FILESYS. No minimum access is required. It can be overridden for specific users or groups. The user or group must have the same access that would be required to SUPERUSER.FILESYS while accessing the file. |
SUPERUSER.FILESYS | To allow the user to read any local file, and to read or search any
local directory, the minimum required access is READ. To allow the user to write to any local file, and includes privileges of READ access, the minimum required access is UPDATE. To allow the user to write to any local directory, and includes privileges of UPDATE access, the minimum required access is CONTROL or higher. Authorization to the SUPERUSER.FILESYS resource provides privileges to access only local files. No authorization to access Network File System (NFS) files is provided by access to this resource. READ, UPDATE, and CONTROL (or higher) does not grant permission to update extended attributes of files. This is not equivalent to being a superuser. |
SUPERUSER.FILESYS.CHANGEPERMS | Allows users to use the chmod command to change the permission bits of any file and to use the setfacl command to manage access control lists for any file. The minimum required access is READ. |
SUPERUSER.FILESYS.CHOWN | Allows users to use the chown command to change ownership of any file.. The required minimum access is READ. |
SUPERUSER.FILESYS.DIRSRCH | Allows users to read and search any local directories. The required minimum access is READ. |
SUPERUSER.FILESYS.MOUNT |
|
SUPERUSER.FILESYS.QUIESCE | To allow the user to issue quiesce and
unquiesce commands for a file system that is mounted with the nosetuid option, the
minimum required access is READ. To allow the user to issue quiesce and unquiesce commands for a file system that is mounted with the setuid option, the minimum required access is UPDATE. |
SUPERUSER.FILESYS.PFSCTL | Allows user to use the pfsctl() callable service. The minimum required access is READ. |
SUPERUSER.FILESYS.USERMOUNT |
|
SUPERUSER.FILESYS.VREGISTER | Allows a server to use the vreg() callable service to register as a
VFS file server. The minimum required access is READ. The SUPERUSER.FILESYS.VREGISTER resource only lets a server such as NFS initialization. Users who are connected as clients through facilities such as NFS do not get special privileges based on this resource or other resources in the UNIXPRIV class. |
SUPERUSER.IPC.RMID | Allows user to issue the ipcrm command to release any IPC resources. The minimum required access is READ. |
SUPERUSER.PROCESS.GETPSENT | Allows user to use the w_getpsent() callable service to receive
data for any process. Also allows users of the ps command to output information about all processes. This is the default behavior of ps on most UNIX platforms. The minimum required access is READ. |
SUPERUSER.PROCESS.KILL | Allows user to use the kill() callable service to send signals to any process. The minimum required access is READ. |
SUPERUSER.PROCESS.PTRACE | Allows user to use the ptrace() callable service through the dbx
debugger to trace any process. The minimum required access is READ. Authorization to the BPX.DEBUG resource is also required to trace processes that run with APF authority or BPX.SERVER authority. |
SUPERUSER.SETPRIORITY | Allows user to increase own priority. The minimum required access is READ. |
SUPERUSER.SHMMCV.LIMIT | Allows the user to create up to 4,194,304 mutexes or condition variables
to be associated with a single shared memory segment. The overall system total of mutexes and
condition variables for authorized users must be less than 134,217,729.
When
authorized applications create the maximum number of mutexes and condition variables, the system
requires more auxiliary storage to be available. System dumps that include the OMVS address space
also require larger dump data sets to contain the increased size of that address space. It is
unlikely that applications will create the maximum number of structures allowed. If the maximum
number is created, the increase in auxiliary storage and dump data set size is roughly 350
gigabytes. The minimum required access is READ. |