Will an ACF2 resource rule in the FACILITY class allowing all access allow the CHOWN.UNRESTRICTED call to work?

book

Article ID: 143234

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

CHOWN.UNRESTRICTED - Allows all z/OS UNIX users to transfer ownership for files they own to any UID or GID on the system.  No access list is needed; the existence of the profile enables the function. Therefore the resource will not be defined.

The ACF2 system has a FACILITY resource rule that is masked that allows all accesses.

 $KEY(****************************************) TYPE(FAC)

  UID(*) SERVICE(READ,ADD,DELETE,UPDATE) LOG

Will that let all UNIX users transfer ownership under the CHOWN.UNRESTRICTED profile?

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

In the ACF2 manual is the documentation on the use of this:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/control-access-to-the-hierarchical-file-system-hfs.html

 ACF2 switches the call to the UNIXPRIV class.  The manual has this note:

     For POSIX CHOWN UNRESTRICTED to be active, the CHOWN.UNRESTRICTED rule must exist in the UNIXPRIV class, and the UNIXPRIV class must be defined in the INFODIR record.

So check for a rule in the UNIXPRIV class. The default CLASMAP points UNIXPRIV to type UNI.  If there is no rule, then the profile is not active.