search cancel

ACF2 AUDIT privilege impacting user access within USS

book

Article ID: 216307

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

Accessing UNIX system services getting the following error while accessing USS directories:
Errno=6Fx Permission is denied; Reason=EF076015

The ACFRPTOM report shows the following:

       SERVICE      USERID    GROUP        UID         GID    SAF     RC    RSN
         DATE          TIME    JOBNAME   SOURCE   SYSID   CPU   SECLABEL
   ck_access        USER002  EEEESCP       104868           2   8      8      4
   05/28/21  21.148   12.38.57 USER002           SYS5     SYS5
   Failed - User not authorized to access file
    Function: opendir              User Type: Local
    Requested Access: Read
    Name flag:     Use CRED_name_flag to determine pathname
    Pathname: /SYS5/var/zosytest/ttttttt/ssss2/
    Filename: SERVER2
    File Permissions: Owner: rwx Group: r-x Other: r--
    Owning UID:        60545   Owning GID:         143
    Volume  : ALL244  File Identifier:   C1D3D3F2F4F404080000000000010001
    File Audit Options:
    User    : Read Failure  Write Failure  Exec/Search Failure
    Auditor : Read None     Write None     Exec/Search None
    Effective UID:       104868  Effective GID:            2
    File system dataset:    SSRR.ACCC.OMVS.TESTHHH.ZFS

The ACFRPTRV report shows the following:

REQUESTED RESOURCE                               REC  LOOKUP KEY
 UID                      SOURCE   CPU  MODULE   DISP     DSP-MOD  KEY-MOD  SERV
     DATE     TIME     JNAME    LID      NAME                 PRE RMC INT PST FI
 MLS     USER-SECLABEL RSRC-SECLABEL MODE   SRC     RRC      RSN
 
 RFSA- SSRR.ACCC.OMVS.TESTHHH.ZFS               *VIO  RFSA-WSZT
  Z Z01SCP     TSUSER002  44200047 SYS5 ACF9CFAT NO-RULE     -     DIRECTRY UPDT
 21.148 05/28 12.38    USER002  USER002  David Smith            0   0  20   0  1
 SAF RESOURCE CLASS FSACCESS
 
 RESOURCE NAME:  SSRR.ACCC.OMVS.TESTHHH.ZFS

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

If native UNIX privilege bits are used to protect USS HFS/zFS files and SAF resource class FSACCESS check is also validated, AUDIT privilege is required in ACF2 to access the USS directories.

The following IBM documentation: z/OS Security Server RACF Security Administrator's Guide explains that AUDIT allows a user access to the file system for FSACCESS processing during ck_access request:

Note: The RACF equivalent of AUDIT is AUDITOR.