Using UNIXPRIV class profiles

You can define profiles in the UNIXPRIV class to grant RACF® authorization for certain z/OS UNIX privileges. By defining profiles in the UNIXPRIV class, you can specifically grant certain superuser privileges with a high degree of granularity to users who do not have superuser authority. This allows you to minimize the number of assignments of superuser authority at your installation and reduces your security risk.

Resource names in the UNIXPRIV class are associated with z/OS UNIX privileges. You must define profiles in the UNIXPRIV class protecting these resources in order to use RACF authorization to grant z/OS UNIX privileges. The UNIXPRIV class must be active and SETROPTS RACLIST must be in effect for the UNIXPRIV class. Global access checking is not used for authorization checking to UNIXPRIV resources.

Table 1 shows each resource name available in the UNIXPRIV class, the z/OS UNIX privilege associated with each resource, and the level of access required to grant the privilege.

Table 1. Resource names in the UNIXPRIV class for z/OS UNIX privileges
Resource name	z/OS UNIX privilege	Minimum access required
CHOWN.UNRESTRICTED¹	Allows users to use the chown command to transfer ownership of their own files.	None required
FILE.GROUPOWNER.SETGID	Specifies that a directory's set-gid bit is used to determine the group owner of any new objects created within the directory.	None required
RESTRICTED.FILESYS.ACCESS	Specifies that RESTRICTED users cannot gain file access by virtue of the 'other ' permission bits.	None required
RESTRICTED.FILESYS.ACCESS	Can be overridden for a specific user/group.	READ
SHARED.IDS	Allows users to assign UID and GID values that are not unique.	READ
SUPERUSER.FILESYS.ACLOVERRIDE	Specifies that ACL contents override the access that was granted by SUPERUSER.FILESYS.	None required
SUPERUSER.FILESYS.ACLOVERRIDE	Can be overridden for specific users or groups. The user or group must have the same access that would be required to SUPERUSER.FILESYS while accessing the file.	See note.
SUPERUSER.FILESYS²	Allows user to read any local file, and to read or search any local directory.	READ
	Allows user to write to any local file, and includes privileges of READ access.	UPDATE
	Allows user to write to any local directory, and includes privileges of UPDATE access.	CONTROL (or higher)
SUPERUSER.FILESYS.CHANGEPERMS	Allows users to use the chmod command to change the permission bits of any file and to use the setfacl command to manage access control lists for any file.	READ
SUPERUSER.FILESYS.CHOWN	Allows user to use the chown command to change ownership of any file.	READ
SUPERUSER.FILESYS.MOUNT	Allows user to issue the TSO/E MOUNT command or the mount shell command with the nosetuid option. Also allows users to unmount a file system with the TSO/E UNMOUNT command or the unmount shell command mounted with the nosetuid option. Users permitted to this profile can use the chmount shell command to change the mount attributes of a specified file system.	READ
SUPERUSER.FILESYS.MOUNT	Allows user to issue the TSO/E MOUNT command or the mount shell command with the setuid option. Also allows user to issue the TSO/E UNMOUNT command or the unmount shell command with the setuid option. Users permitted to this profile can issue the chmount shell command on a file system that is mounted with the setuid option.	UPDATE
SUPERUSER.FILESYS.QUIESCE	Allows user to issue quiesce and unquiesce commands for a file system mounted with the nosetuid option.	READ
SUPERUSER.FILESYS.QUIESCE	Allows user to issue quiesce and unquiesce commands for a file system mounted with the setuid option.	UPDATE
SUPERUSER.FILESYS.PFSCTL	Allows user to use the pfsctl() callable service.	READ
SUPERUSER.FILESYS.USERMOUNT	Allows nonprivileged users to mount and unmount file systems with the nosetuid option.	READ
SUPERUSER.FILESYS.VREGISTER³	Allows a server to use the vreg() callable service to register as a VFS file server.	READ
SUPERUSER.IPC.RMID	Allows user to issue the ipcrm command to release IPC resources.	READ
SUPERUSER.PROCESS.GETPSENT	Allows user to use the w_getpsent() callable service to receive data for any process. Allows users of the ps command to output information about all processes. This is the default behavior of ps on most UNIX platforms.	READ
SUPERUSER.PROCESS.KILL	Allows user to use the kill() callable service to send signals to any process.	READ
SUPERUSER.PROCESS.PTRACE⁴	Allows user to use the ptrace() callable service through the dbx debugger to trace any process.	READ
SUPERUSER.SETPRIORITY	Allows user to increase own priority.	READ
SUPERUSER.SHMMCV.LIMITS	Allows the user to create up to 4,194,304 mutexes or condition variables to be associated with a single shared memory segment. The overall system total of mutexes and condition variables for authorized users must be less than 134,217,729. When authorized applications create the maximum number of mutexes and condition variables, the system requires significantly more auxiliary storage to be available. System dumps that include the OMVS address space also require larger dump data sets to contain the increased size of that address space. It is unlikely that applications will create the maximum number of structures allowed. If the maximum number is created, the increase in auxiliary storage and dump data set size is roughly 350 gigabytes.	READ
Note: See Steps for setting up the CHOWN.UNRESTRICTED profile. Authorization to the SUPERUSER.FILESYS resource provides privileges to access only local files. No authorization to access Network File System (NFS) files is provided by access to this resource. The SUPERUSER.FILESYS.VREGISTER resource only lets a server such as NFS initialize. Users who are connected as clients through facilities such as NFS do not get special privileges based on this resource or other resources in the UNIXPRIV class. Authorization to the BPX.DEBUG resource is also required to trace processes that run with APF authority or BPX.SERVER authority.

Tip: If you are debugging a daemon, use the SUPERUSER.PROCESS.GETPSENT, SUPERUSER.PROCESS.KILL, and SUPERUSER.PROCESS.PTRACE privileges.