IBMFAC rules for BPX.CAHFS.CHANGE.FILE.MODE
Article ID: 108123
Updated On:
Products
Top Secret
Top Secret - LDAP
Issue/Introduction
Per CA documentation on the IBMFAC resource:
• BPX.CAHFS.CHANGE.FILE.MODE Allows a user to change extended file attributes, such as APF authorization and program control We want to restrict ID's to specific MODE functions and attempted to use the following specific permissions instead:
• BPX.CAHFS.CHANGE.FILE.MODE.STICKY
• BPX.CAHFS.CHANGE.FILE.MODE.EUID
• BPX.CAHFS.CHANGE.FILE.MODE.EGID
However, we get security call for BPX.CAHFS.CHANGE.FILE.MODE which fails but no subsequent call for the more specific permissions.
• BPX.CAHFS.CHANGE.FILE.MODE Allows a user to change extended file attributes, such as APF authorization and program control We want to restrict ID's to specific MODE functions and attempted to use the following specific permissions instead:
• BPX.CAHFS.CHANGE.FILE.MODE.STICKY
• BPX.CAHFS.CHANGE.FILE.MODE.EUID
• BPX.CAHFS.CHANGE.FILE.MODE.EGID
However, we get security call for BPX.CAHFS.CHANGE.FILE.MODE which fails but no subsequent call for the more specific permissions.
Environment
Release:
Component: TSSMVS
Component: TSSMVS
Resolution
The security checks are done in IBMFAC class. The first check is for general file mode - BPX.CAHFS.CHANGE.FILE.MODE. If one has permission to BPX.CAHFS.CHANGE.FILE.MODE then the code fall thru and issues a more specific security check depending on the command that is entered.
The other security checks can be for the following:
BPX.CAHFS.CHANGE.FILE.MODE.STICKY
BPX.CAHFS.CHANGE.FILE.MODE.EUID
BPX.CAHFS.CHANGE.FILE.MODE.EGID
If one has permission to BPX.CAHFS.CHANGE.FILE.MODE then they would most likely have permission to any longer resource that beginning with BPX.CAHFS.CHANGE.FILE.MODE. Such as the three resource above, STICKY, EUID and EGID. Since you have the IBMFAC class maskable at your site, in order to distinguish these permissions one needs to permit the least restrictive permit with quotes. These will force the TSS Algorithm not to match on BPX.CAHFS.CHANGE.FILE.MODE when checking for the more restrictive permissions.
TSS ADD(DEPT) IBMFAC(BPX.CAHFS)
TSS PERMIT(USERA) IBMFAC(‘BPX.CAHFS.CHANGE.FILE.MODE’) ACC(ALL) - (in quotes)
TSS PERMIT(USERA) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE.STICKY) ACC(NONE)
If the request came in for ....STICKY The first check issued is for BPX.CAHFS.CHANGE.FILE.MODE which will be successful since the user has 'BPX.CAHFS.CHANGE.FILE.MODE' in quotes. The next check is for BPX.CAHFS.CHANGE.FILE.MODE.STICKY, since the first permission is in quotes the security algorithm will not match on 'BPX.CAHFS.CHANGE.FILE.MODE' (in quotes) and fall thru to the next permission which is BPX.CAHFS.CHANGE.FILE.MODE.STICKY. Since the access level is none for BPX.CAHFS.CHANGE.FILE.MODE.STICKY the request will fail. Placing quotes around the resource forces TSS to match exactly on the permission, instead of using it as a prefix.
The other security checks can be for the following:
BPX.CAHFS.CHANGE.FILE.MODE.STICKY
BPX.CAHFS.CHANGE.FILE.MODE.EUID
BPX.CAHFS.CHANGE.FILE.MODE.EGID
If one has permission to BPX.CAHFS.CHANGE.FILE.MODE then they would most likely have permission to any longer resource that beginning with BPX.CAHFS.CHANGE.FILE.MODE. Such as the three resource above, STICKY, EUID and EGID. Since you have the IBMFAC class maskable at your site, in order to distinguish these permissions one needs to permit the least restrictive permit with quotes. These will force the TSS Algorithm not to match on BPX.CAHFS.CHANGE.FILE.MODE when checking for the more restrictive permissions.
TSS ADD(DEPT) IBMFAC(BPX.CAHFS)
TSS PERMIT(USERA) IBMFAC(‘BPX.CAHFS.CHANGE.FILE.MODE’) ACC(ALL) - (in quotes)
TSS PERMIT(USERA) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE.STICKY) ACC(NONE)
If the request came in for ....STICKY The first check issued is for BPX.CAHFS.CHANGE.FILE.MODE which will be successful since the user has 'BPX.CAHFS.CHANGE.FILE.MODE' in quotes. The next check is for BPX.CAHFS.CHANGE.FILE.MODE.STICKY, since the first permission is in quotes the security algorithm will not match on 'BPX.CAHFS.CHANGE.FILE.MODE' (in quotes) and fall thru to the next permission which is BPX.CAHFS.CHANGE.FILE.MODE.STICKY. Since the access level is none for BPX.CAHFS.CHANGE.FILE.MODE.STICKY the request will fail. Placing quotes around the resource forces TSS to match exactly on the permission, instead of using it as a prefix.
Feedback
Yes
No
Powered by
