How can the IBM provided Unix System Services (USS) utility zfsadm be secured to prevent users from changing the status of file systems? For example: We want to quiesce and unquiesce file systems
search cancel

How can the IBM provided Unix System Services (USS) utility zfsadm be secured to prevent users from changing the status of file systems? For example: We want to quiesce and unquiesce file systems

book

Article ID: 53034

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

How can the IBM provided Unix System Services (USS) utility zfsadm be secured to prevent users from changing the status of file systems? For example: We want to quiesce and unquiesce file systems

 

Environment

Release:
Component: ACF2MS

Resolution

The IBM Unix System Services (USS) zfsadm utility can be secured with ACF2 external security based on the type of zfsadm command that is issued. "zfsadm" commands are administrative-level commands used by system administrators to manage(display and change) file systems and aggregates.

Most zfsadm commands are administrative-level commands used by system administrators to manage(display and change) file systems and aggregates.

"zfsadm" commands that query information (for example, lsfs, aggrinfo) can be issued by any user that has READ authority to the data set that contains the IOEFSPRM file which is used to specify zFS configuration options. The IOEFSPRM file in normally a PDS member that is specified by the IOEZPRM DD statement in the ZFS PROC. This file can be secured by an ACF2 dataset access rule.

"zfsadm" commands that modify (for example, setquota, create, quiesce, unquiesce) additionally require that the issuer have one of the following:

- UID of 0
Note: If you are permitted READ to the BPX.SUPERUSER resource in the facility resource class, you may become a UID of 0 by issuing the su command.

- Have READ authority to the SUPERUSER.FILESYS.PFSCTL resource in the z/OS UNIXPRIV resource class.

So if you do not want to give the used UID 0 or a access to BPX.SUPERUSER to allow the user to switch to superuser, you can give the used access to the resource SUPERUSER.FILESYS.PFSCTL resource class UNIXPRIV. For example:

$KEY(SUPERUSER) TYPE(UNI)                                                   
FILESYS.PFSCTL UID(usera) SERVICE(READ) ALLOW  

 

 

Additional Information

Details on the BPX.SUPERUSER resource and the UNIXPRIV resource class can be found in the CA-ACF2 Security for z/OS Administrator Guide in Chapter 21: z/OS UNIX System Services Support.