ACF2 AUDIT privilege impacting user access within USS
Article ID: 216307
Updated On:
Products
Issue/Introduction
Accessing UNIX system services getting the following error while accessing USS directories:
Errno=6Fx Permission is denied; Reason=EF076015
The ACFRPTOM report shows the following:
SERVICE USERID GROUP UID GID SAF RC RSN
DATE TIME JOBNAME SOURCE SYSID CPU SECLABEL
ck_access USER002 EEEESCP 104868 2 8 8 4
05/28/21 21.148 12.38.57 USER002 SYS5 SYS5
Failed - User not authorized to access file
Function: opendir User Type: Local
Requested Access: Read
Name flag: Use CRED_name_flag to determine pathname
Pathname: /SYS5/var/zosytest/ttttttt/ssss2/
Filename: SERVER2
File Permissions: Owner: rwx Group: r-x Other: r--
Owning UID: 60545 Owning GID: 143
Volume : ALL244 File Identifier: C1D3D3F2F4F404080000000000010001
File Audit Options:
User : Read Failure Write Failure Exec/Search Failure
Auditor : Read None Write None Exec/Search None
Effective UID: 104868 Effective GID: 2
File system dataset: SSRR.ACCC.OMVS.TESTHHH.ZFS
The ACFRPTRV report shows the following:
REQUESTED RESOURCE REC LOOKUP KEY
UID SOURCE CPU MODULE DISP DSP-MOD KEY-MOD SERV
DATE TIME JNAME LID NAME PRE RMC INT PST FI
MLS USER-SECLABEL RSRC-SECLABEL MODE SRC RRC RSN
RFSA- SSRR.ACCC.OMVS.TESTHHH.ZFS *VIO RFSA-WSZT
Z Z01SCP TSUSER002 44200047 SYS5 ACF9CFAT NO-RULE - DIRECTRY UPDT
21.148 05/28 12.38 USER002 USER002 FIRST LAST 0 0 20 0 1
SAF RESOURCE CLASS FSACCESS
RESOURCE NAME: SSRR.ACCC.OMVS.TESTHHH.ZFS
Environment
Release : 16.0
Component : CA ACF2 for z/OS
Resolution
If native UNIX privilege bits are used to protect USS HFS/zFS files and SAF resource class FSACCESS check is also validated, AUDIT privilege is required in ACF2 to access the USS directories.
The following IBM documentation: z/OS Security Server RACF Security Administrator's Guide explains that AUDIT allows a user access to the file system for FSACCESS processing during ck_access request:
Note: The RACF equivalent of AUDIT is AUDITOR.
Feedback
