Restrict execute access in a zFS or TFS file system with ACF2
Article ID: 15503
Updated On: 08-12-2024
Products
Issue/Introduction
z/OS 2.2 added support for FSEXEC calls. Execution of any file in a z/OSĀ® File System (zFS) or Temporary File System (TFS) is enabled by the definition of a general resource profile in the FSEXEC class. External security commands can restrict z/OS UNIX access to the specified file system for most users while allowing selected users and groups to remain eligible for execute access.
Environment
z/OS 2.2 and above
Resolution
When a file system is protected by an FSEXEC profile with UACC(NONE), only users and groups with UPDATE access authority or higher are eligible for execute file access. Eligible users are then subject to the usual authorization checking, which includes checking for superuser authority, ownership, permission bits, access control lists (ACLs), and UNIXPRIV authorities.
FSEXEC class support is added to ACF2 by ptfs RO91933 (R15.0) / RO91913 (R16.0). These PTFs add a mixed case CLASMAP record of length 44 with a default type code FSE.
The FSEXEC RACROUTE call is REQUEST=FASTAUTH which requires the type code to be in a resident directory. For example, to ADD a type code to INFODIR:
TSO ACF
SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RFSE) ADD
F ACF2,REFRESH(INFODIR)
RULES: If the zFS is called OMVS.ZFS.files.ADMIN. A sample rule would look like this:
$KEY(OMVS) TYPE(FSE)ZFS.files.ADMIN UID(uid string that needs access) SERVICE(UPDATE) ALLOW
After any FSEXEC rules are added or changed, a REBUILD is required:
F ACF2,REBUILD(FSE)
Feedback
